61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

Analysis

max time kernel
168s
max time network
102s
platform
windows7_x64
resource
win7v20210408
submitted
20/09/2021, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqlservr.exe
Size

1.8MB
MD5

e1338c42da2d2363afbbd0eeabad1ca9
SHA1

fe5d669b732c9227bb25787083906f49b732c335
SHA256

61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e
SHA512

bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

Score

10^/10

evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Read Me.TXT

Ransom Note

8888888b. 888 888 Y88b 888 888 888 888 888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 8888888P" d8P Y8b d88" 888 d8P Y8b d8P Y8b 888 "888 "88b d8P Y8b 888P" 888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 888 T88b "Y8888 "Y88888 "Y8888 "Y8888 888 888 888 "Y8888 888 Made by Cerebrate - Dread Forums TOR [http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/] [Q1] What happened, I cannot open my files and they have an odd extension? [A1] Your files have been encrypted by Redeemer, a new ransomware operation. [Q2] Is there any way to recover my files? [A2] Yes, you can recover your files. This will however cost you money in XMR (Monero). [Q3] Is there any any way to recover my files without paying? [A3] Without paying it is impossible your files. Redeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security. Without a proper key, you will never regain access to your files. [Q4] What is XMR (Monero)? [A4] It is a privacy oriented cryptocurrency. You can learn more about Monero on getmonero.org. You can view ways to purchase it on www.monero.how/how-to-buy-monero. [Q5] How will I decrypt my files? [A5] Follow the general instructions: -1. Buy 02 XMR. -2. Contact [email protected] and send the following key: -----BEGIN REDEEMER PUBLIC KEY----- NDEhcAxlxZFcOah1x6Msz8aSJQCvSERJpvULl3I0gvggk5fyVG m2P5EvQCNsZOpDHGek5no49ldzt5nAV4yCMvLUKX69mLJ+oh+p D4cS3yqGJxvvv/nxFt1YtU1Yw9foQXjNNeOnMgTwn6gmSKoqHw 0DHmDOSWZeNq/sgcieAV9vsHNXF4TnCfEnICB3fi4piw11pf+T Yr91IQ54rnYG7BoPLgrTxRfWRogrxn3Fr9MzXpLkJ0YtIoNn3R A/x8dmAUm2Pwh+fpKBz/FUx3TtLvnHm8c3je2UHc12BEnw2Oly 6/cSmt/nDZ/rLgqhr+CrKcYK+j8MHM0vNVfXC9vTgbFS7W0/7G 6dfVXRm1fm90idVUznYsaNV0FUxJquKb4rmepYscl70Buh4RY0 U7ZZ6CWAZ2xd1fkpvz1Xr9IIWp+LQBeBaZPvsJqcZftVoWjyE9 YLwcwQfBhFneCtyhQf0dYOZ0uaPyq00R40DtNfqzL6LiwCFcWL ToC08EOxxGkDTBJ7N3XCHTX8hysU+d9gfoU98TjH3uDWZKJ5Gg uEy5XO34QsptBnk8mWDAMpozKlOdI0uPZn7zR7AU8lcwfYvtcr CJJrNKak+MiDpxKAo59w61FWJ1ZNasySth7OErawloU8tcen84 GhthukTZ/FQrEK+a6NSe8uPLBaG6b4mjTblA== -----END REDEEMER PUBLIC KEY----- -3. You will receive an XMR address where you will need to pay the requested amount of Monero. -4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal.

Emails

[email protected]

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
1832	taskmgr.exe

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\SubmitConnect.crw.redeem	taskmgr.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveUse.tiff	taskmgr.exe
File created	C:\Users\Admin\Pictures\DenyCheckpoint.raw.redeem	taskmgr.exe
File created	C:\Users\Admin\Pictures\ApproveUse.tiff.redeem	taskmgr.exe
File created	C:\Users\Admin\Pictures\ReadMount.png.redeem	taskmgr.exe
File created	C:\Users\Admin\Pictures\EnableRemove.raw.redeem	taskmgr.exe
File created	C:\Users\Admin\Pictures\ReadSuspend.png.redeem	taskmgr.exe
File created	C:\Users\Admin\Pictures\SkipAdd.tiff.redeem	taskmgr.exe
File opened for modification	C:\Users\Admin\Pictures\EditConvertTo.tiff	taskmgr.exe
File opened for modification	C:\Users\Admin\Pictures\SkipAdd.tiff	taskmgr.exe
File created	C:\Users\Admin\Pictures\ConvertFromFind.tif.redeem	taskmgr.exe
File created	C:\Users\Admin\Pictures\EditConvertTo.tiff.redeem	taskmgr.exe

Deletes itself 1 IoCs

pid	Process
1832	taskmgr.exe

Loads dropped DLL 1 IoCs

pid	Process
1068	sqlservr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 16 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskmgr.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskmgr.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskmgr.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	taskmgr.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskmgr.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskmgr.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted"	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 02 XMR.\n-2. Contact [email protected] and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNDEhcAxlxZFcOah1x6Msz8aSJQCvSERJpvULl3I0gvggk5fyVG\nm2P5EvQCNsZOpDHGek5no49ldzt5nAV4yCMvLUKX69mLJ+oh+p\nD4cS3yqGJxvvv/nxFt1YtU1Yw9foQXjNNeOnMgTwn6gmSKoqHw\n0DHmDOSWZeNq/sgcieAV9vsHNXF4TnCfEnICB3fi4piw11pf+T\nYr91IQ54rnYG7BoPLgrTxRfWRogrxn3Fr9MzXpLkJ0YtIoNn3R\nA/x8dmAUm2Pwh+fpKBz/FUx3TtLvnHm8c3je2UHc12BEnw2Oly\n6/cSmt/nDZ/rLgqhr+CrKcYK+j8MHM0vNVfXC9vTgbFS7W0/7G\n6dfVXRm1fm90idVUznYsaNV0FUxJquKb4rmepYscl70Buh4RY0\nU7ZZ6CWAZ2xd1fkpvz1Xr9IIWp+LQBeBaZPvsJqcZftVoWjyE9\nYLwcwQfBhFneCtyhQf0dYOZ0uaPyq00R40DtNfqzL6LiwCFcWL\nToC08EOxxGkDTBJ7N3XCHTX8hysU+d9gfoU98TjH3uDWZKJ5Gg\nuEy5XO34QsptBnk8mWDAMpozKlOdI0uPZn7zR7AU8lcwfYvtcr\nCJJrNKak+MiDpxKAo59w61FWJ1ZNasySth7OErawloU8tcen84\nGhthukTZ/FQrEK+a6NSe8uPLBaG6b4mjTblA==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal."	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted"	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 02 XMR.\n-2. Contact [email protected] and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNDEhcAxlxZFcOah1x6Msz8aSJQCvSERJpvULl3I0gvggk5fyVG\nm2P5EvQCNsZOpDHGek5no49ldzt5nAV4yCMvLUKX69mLJ+oh+p\nD4cS3yqGJxvvv/nxFt1YtU1Yw9foQXjNNeOnMgTwn6gmSKoqHw\n0DHmDOSWZeNq/sgcieAV9vsHNXF4TnCfEnICB3fi4piw11pf+T\nYr91IQ54rnYG7BoPLgrTxRfWRogrxn3Fr9MzXpLkJ0YtIoNn3R\nA/x8dmAUm2Pwh+fpKBz/FUx3TtLvnHm8c3je2UHc12BEnw2Oly\n6/cSmt/nDZ/rLgqhr+CrKcYK+j8MHM0vNVfXC9vTgbFS7W0/7G\n6dfVXRm1fm90idVUznYsaNV0FUxJquKb4rmepYscl70Buh4RY0\nU7ZZ6CWAZ2xd1fkpvz1Xr9IIWp+LQBeBaZPvsJqcZftVoWjyE9\nYLwcwQfBhFneCtyhQf0dYOZ0uaPyq00R40DtNfqzL6LiwCFcWL\nToC08EOxxGkDTBJ7N3XCHTX8hysU+d9gfoU98TjH3uDWZKJ5Gg\nuEy5XO34QsptBnk8mWDAMpozKlOdI0uPZn7zR7AU8lcwfYvtcr\nCJJrNKak+MiDpxKAo59w61FWJ1ZNasySth7OErawloU8tcen84\nGhthukTZ/FQrEK+a6NSe8uPLBaG6b4mjTblA==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal."	taskmgr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ProgramData__\	sqlservr.exe
File created	C:\Windows\ProgramData__\taskmgr.exe	sqlservr.exe
File opened for modification	C:\Windows\ProgramData__\taskmgr.exe	sqlservr.exe
File created	C:\Windows\ProgramData__\rem.bat	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
524	vssadmin.exe
1164	vssadmin.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command\ = "\"C:\\Windows\\system32\\cmd.exe\" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file."	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.redeem	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.redeem\ = "redeemer"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1412	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	568	vssvc.exe
Token: SeRestorePrivilege	568	vssvc.exe
Token: SeAuditPrivilege	568	vssvc.exe
Token: SeSecurityPrivilege	1712	wevtutil.exe
Token: SeBackupPrivilege	1712	wevtutil.exe
Token: SeSecurityPrivilege	1764	wevtutil.exe
Token: SeBackupPrivilege	1764	wevtutil.exe
Token: SeSecurityPrivilege	1680	wevtutil.exe
Token: SeBackupPrivilege	1680	wevtutil.exe
Token: SeSecurityPrivilege	1412	wevtutil.exe
Token: SeBackupPrivilege	1412	wevtutil.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1832	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1832	1068	sqlservr.exe	26
PID 1068 wrote to memory of 1832	1068	sqlservr.exe	26
PID 1068 wrote to memory of 1832	1068	sqlservr.exe	26
PID 1068 wrote to memory of 1832	1068	sqlservr.exe	26
PID 1832 wrote to memory of 268	1832	taskmgr.exe	28
PID 1832 wrote to memory of 268	1832	taskmgr.exe	28
PID 1832 wrote to memory of 268	1832	taskmgr.exe	28
PID 1832 wrote to memory of 268	1832	taskmgr.exe	28
PID 268 wrote to memory of 524	268	cmd.exe	29
PID 268 wrote to memory of 524	268	cmd.exe	29
PID 268 wrote to memory of 524	268	cmd.exe	29
PID 268 wrote to memory of 524	268	cmd.exe	29
PID 1832 wrote to memory of 1852	1832	taskmgr.exe	31
PID 1832 wrote to memory of 1852	1832	taskmgr.exe	31
PID 1832 wrote to memory of 1852	1832	taskmgr.exe	31
PID 1832 wrote to memory of 1852	1832	taskmgr.exe	31
PID 1852 wrote to memory of 1712	1852	cmd.exe	32
PID 1852 wrote to memory of 1712	1852	cmd.exe	32
PID 1852 wrote to memory of 1712	1852	cmd.exe	32
PID 1852 wrote to memory of 1712	1852	cmd.exe	32
PID 1832 wrote to memory of 1716	1832	taskmgr.exe	33
PID 1832 wrote to memory of 1716	1832	taskmgr.exe	33
PID 1832 wrote to memory of 1716	1832	taskmgr.exe	33
PID 1832 wrote to memory of 1716	1832	taskmgr.exe	33
PID 1716 wrote to memory of 1764	1716	cmd.exe	34
PID 1716 wrote to memory of 1764	1716	cmd.exe	34
PID 1716 wrote to memory of 1764	1716	cmd.exe	34
PID 1716 wrote to memory of 1764	1716	cmd.exe	34
PID 1832 wrote to memory of 1708	1832	taskmgr.exe	35
PID 1832 wrote to memory of 1708	1832	taskmgr.exe	35
PID 1832 wrote to memory of 1708	1832	taskmgr.exe	35
PID 1832 wrote to memory of 1708	1832	taskmgr.exe	35
PID 1708 wrote to memory of 1680	1708	cmd.exe	36
PID 1708 wrote to memory of 1680	1708	cmd.exe	36
PID 1708 wrote to memory of 1680	1708	cmd.exe	36
PID 1708 wrote to memory of 1680	1708	cmd.exe	36
PID 1832 wrote to memory of 1460	1832	taskmgr.exe	37
PID 1832 wrote to memory of 1460	1832	taskmgr.exe	37
PID 1832 wrote to memory of 1460	1832	taskmgr.exe	37
PID 1832 wrote to memory of 1460	1832	taskmgr.exe	37
PID 1460 wrote to memory of 1412	1460	cmd.exe	38
PID 1460 wrote to memory of 1412	1460	cmd.exe	38
PID 1460 wrote to memory of 1412	1460	cmd.exe	38
PID 1460 wrote to memory of 1412	1460	cmd.exe	38
PID 1832 wrote to memory of 1364	1832	taskmgr.exe	39
PID 1832 wrote to memory of 1364	1832	taskmgr.exe	39
PID 1832 wrote to memory of 1364	1832	taskmgr.exe	39
PID 1832 wrote to memory of 1364	1832	taskmgr.exe	39
PID 1832 wrote to memory of 1376	1832	taskmgr.exe	40
PID 1832 wrote to memory of 1376	1832	taskmgr.exe	40
PID 1832 wrote to memory of 1376	1832	taskmgr.exe	40
PID 1832 wrote to memory of 1376	1832	taskmgr.exe	40
PID 1832 wrote to memory of 1628	1832	taskmgr.exe	41
PID 1832 wrote to memory of 1628	1832	taskmgr.exe	41
PID 1832 wrote to memory of 1628	1832	taskmgr.exe	41
PID 1832 wrote to memory of 1628	1832	taskmgr.exe	41
PID 1832 wrote to memory of 316	1832	taskmgr.exe	42
PID 1832 wrote to memory of 316	1832	taskmgr.exe	42
PID 1832 wrote to memory of 316	1832	taskmgr.exe	42
PID 1832 wrote to memory of 316	1832	taskmgr.exe	42
PID 1456 wrote to memory of 1640	1456	cmd.exe	46
PID 1456 wrote to memory of 1640	1456	cmd.exe	46
PID 1456 wrote to memory of 1640	1456	cmd.exe	46
PID 576 wrote to memory of 1596	576	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\sqlservr.exe
"C:\Users\Admin\AppData\Local\Temp\sqlservr.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\ProgramData__\taskmgr.exe
  "C:\Windows\ProgramData__\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\sqlservr.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Deletes itself
  - Drops desktop.ini file(s)
  - Modifies WinLogon
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Application
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Security
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Setup
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil clear-log System
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log System
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
    3⤵
    - Modifies registry class
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c assoc .redeem=redeemer
    3⤵
    - Modifies registry class
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\ProgramData__\rem.bat" "
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1164
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Application
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Security
      4⤵
      PID:784
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log Setup
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil clear-log System
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\system32\msg.exe
  msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
  2⤵
  PID:1640

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read Me.TXT
1⤵
PID:828

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1764

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
1⤵
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\system32\msg.exe
  msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
  2⤵
  PID:1596

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read Me.TXT
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

File Deletion

T1107

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact