Analysis
-
max time kernel
168s -
max time network
102s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-09-2021 03:04
Static task
static1
Behavioral task
behavioral1
Sample
sqlservr.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
sqlservr.exe
Resource
win10-en
General
-
Target
sqlservr.exe
-
Size
1.8MB
-
MD5
e1338c42da2d2363afbbd0eeabad1ca9
-
SHA1
fe5d669b732c9227bb25787083906f49b732c335
-
SHA256
61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e
-
SHA512
bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a
Malware Config
Extracted
C:\Read Me.TXT
helpdecryptmyfiles@yandex.com
Signatures
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
taskmgr.exepid process 1832 taskmgr.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
taskmgr.exedescription ioc process File created C:\Users\Admin\Pictures\SubmitConnect.crw.redeem taskmgr.exe File opened for modification C:\Users\Admin\Pictures\ApproveUse.tiff taskmgr.exe File created C:\Users\Admin\Pictures\DenyCheckpoint.raw.redeem taskmgr.exe File created C:\Users\Admin\Pictures\ApproveUse.tiff.redeem taskmgr.exe File created C:\Users\Admin\Pictures\ReadMount.png.redeem taskmgr.exe File created C:\Users\Admin\Pictures\EnableRemove.raw.redeem taskmgr.exe File created C:\Users\Admin\Pictures\ReadSuspend.png.redeem taskmgr.exe File created C:\Users\Admin\Pictures\SkipAdd.tiff.redeem taskmgr.exe File opened for modification C:\Users\Admin\Pictures\EditConvertTo.tiff taskmgr.exe File opened for modification C:\Users\Admin\Pictures\SkipAdd.tiff taskmgr.exe File created C:\Users\Admin\Pictures\ConvertFromFind.tif.redeem taskmgr.exe File created C:\Users\Admin\Pictures\EditConvertTo.tiff.redeem taskmgr.exe -
Deletes itself 1 IoCs
Processes:
taskmgr.exepid process 1832 taskmgr.exe -
Loads dropped DLL 1 IoCs
Processes:
sqlservr.exepid process 1068 sqlservr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 16 IoCs
Processes:
taskmgr.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskmgr.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini taskmgr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskmgr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini taskmgr.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini taskmgr.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini taskmgr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini taskmgr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini taskmgr.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini taskmgr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini taskmgr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini taskmgr.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
taskmgr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted" taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 02 XMR.\n-2. Contact helpdecryptmyfiles@yandex.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNDEhcAxlxZFcOah1x6Msz8aSJQCvSERJpvULl3I0gvggk5fyVG\nm2P5EvQCNsZOpDHGek5no49ldzt5nAV4yCMvLUKX69mLJ+oh+p\nD4cS3yqGJxvvv/nxFt1YtU1Yw9foQXjNNeOnMgTwn6gmSKoqHw\n0DHmDOSWZeNq/sgcieAV9vsHNXF4TnCfEnICB3fi4piw11pf+T\nYr91IQ54rnYG7BoPLgrTxRfWRogrxn3Fr9MzXpLkJ0YtIoNn3R\nA/x8dmAUm2Pwh+fpKBz/FUx3TtLvnHm8c3je2UHc12BEnw2Oly\n6/cSmt/nDZ/rLgqhr+CrKcYK+j8MHM0vNVfXC9vTgbFS7W0/7G\n6dfVXRm1fm90idVUznYsaNV0FUxJquKb4rmepYscl70Buh4RY0\nU7ZZ6CWAZ2xd1fkpvz1Xr9IIWp+LQBeBaZPvsJqcZftVoWjyE9\nYLwcwQfBhFneCtyhQf0dYOZ0uaPyq00R40DtNfqzL6LiwCFcWL\nToC08EOxxGkDTBJ7N3XCHTX8hysU+d9gfoU98TjH3uDWZKJ5Gg\nuEy5XO34QsptBnk8mWDAMpozKlOdI0uPZn7zR7AU8lcwfYvtcr\nCJJrNKak+MiDpxKAo59w61FWJ1ZNasySth7OErawloU8tcen84\nGhthukTZ/FQrEK+a6NSe8uPLBaG6b4mjTblA==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal." taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted" taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 02 XMR.\n-2. Contact helpdecryptmyfiles@yandex.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNDEhcAxlxZFcOah1x6Msz8aSJQCvSERJpvULl3I0gvggk5fyVG\nm2P5EvQCNsZOpDHGek5no49ldzt5nAV4yCMvLUKX69mLJ+oh+p\nD4cS3yqGJxvvv/nxFt1YtU1Yw9foQXjNNeOnMgTwn6gmSKoqHw\n0DHmDOSWZeNq/sgcieAV9vsHNXF4TnCfEnICB3fi4piw11pf+T\nYr91IQ54rnYG7BoPLgrTxRfWRogrxn3Fr9MzXpLkJ0YtIoNn3R\nA/x8dmAUm2Pwh+fpKBz/FUx3TtLvnHm8c3je2UHc12BEnw2Oly\n6/cSmt/nDZ/rLgqhr+CrKcYK+j8MHM0vNVfXC9vTgbFS7W0/7G\n6dfVXRm1fm90idVUznYsaNV0FUxJquKb4rmepYscl70Buh4RY0\nU7ZZ6CWAZ2xd1fkpvz1Xr9IIWp+LQBeBaZPvsJqcZftVoWjyE9\nYLwcwQfBhFneCtyhQf0dYOZ0uaPyq00R40DtNfqzL6LiwCFcWL\nToC08EOxxGkDTBJ7N3XCHTX8hysU+d9gfoU98TjH3uDWZKJ5Gg\nuEy5XO34QsptBnk8mWDAMpozKlOdI0uPZn7zR7AU8lcwfYvtcr\nCJJrNKak+MiDpxKAo59w61FWJ1ZNasySth7OErawloU8tcen84\nGhthukTZ/FQrEK+a6NSe8uPLBaG6b4mjTblA==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal." taskmgr.exe -
Drops file in Windows directory 4 IoCs
Processes:
sqlservr.exetaskmgr.exedescription ioc process File opened for modification C:\Windows\ProgramData__\ sqlservr.exe File created C:\Windows\ProgramData__\taskmgr.exe sqlservr.exe File opened for modification C:\Windows\ProgramData__\taskmgr.exe sqlservr.exe File created C:\Windows\ProgramData__\rem.bat taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 524 vssadmin.exe 1164 vssadmin.exe -
Modifies registry class 7 IoCs
Processes:
cmd.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command\ = "\"C:\\Windows\\system32\\cmd.exe\" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file." cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.redeem cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.redeem\ = "redeemer" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exetaskmgr.exedescription pid process Token: SeBackupPrivilege 568 vssvc.exe Token: SeRestorePrivilege 568 vssvc.exe Token: SeAuditPrivilege 568 vssvc.exe Token: SeSecurityPrivilege 1712 wevtutil.exe Token: SeBackupPrivilege 1712 wevtutil.exe Token: SeSecurityPrivilege 1764 wevtutil.exe Token: SeBackupPrivilege 1764 wevtutil.exe Token: SeSecurityPrivilege 1680 wevtutil.exe Token: SeBackupPrivilege 1680 wevtutil.exe Token: SeSecurityPrivilege 1412 wevtutil.exe Token: SeBackupPrivilege 1412 wevtutil.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe Token: SeTakeOwnershipPrivilege 1832 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
sqlservr.exetaskmgr.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1068 wrote to memory of 1832 1068 sqlservr.exe taskmgr.exe PID 1068 wrote to memory of 1832 1068 sqlservr.exe taskmgr.exe PID 1068 wrote to memory of 1832 1068 sqlservr.exe taskmgr.exe PID 1068 wrote to memory of 1832 1068 sqlservr.exe taskmgr.exe PID 1832 wrote to memory of 268 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 268 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 268 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 268 1832 taskmgr.exe cmd.exe PID 268 wrote to memory of 524 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 524 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 524 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 524 268 cmd.exe vssadmin.exe PID 1832 wrote to memory of 1852 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1852 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1852 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1852 1832 taskmgr.exe cmd.exe PID 1852 wrote to memory of 1712 1852 cmd.exe wevtutil.exe PID 1852 wrote to memory of 1712 1852 cmd.exe wevtutil.exe PID 1852 wrote to memory of 1712 1852 cmd.exe wevtutil.exe PID 1852 wrote to memory of 1712 1852 cmd.exe wevtutil.exe PID 1832 wrote to memory of 1716 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1716 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1716 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1716 1832 taskmgr.exe cmd.exe PID 1716 wrote to memory of 1764 1716 cmd.exe wevtutil.exe PID 1716 wrote to memory of 1764 1716 cmd.exe wevtutil.exe PID 1716 wrote to memory of 1764 1716 cmd.exe wevtutil.exe PID 1716 wrote to memory of 1764 1716 cmd.exe wevtutil.exe PID 1832 wrote to memory of 1708 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1708 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1708 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1708 1832 taskmgr.exe cmd.exe PID 1708 wrote to memory of 1680 1708 cmd.exe wevtutil.exe PID 1708 wrote to memory of 1680 1708 cmd.exe wevtutil.exe PID 1708 wrote to memory of 1680 1708 cmd.exe wevtutil.exe PID 1708 wrote to memory of 1680 1708 cmd.exe wevtutil.exe PID 1832 wrote to memory of 1460 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1460 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1460 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1460 1832 taskmgr.exe cmd.exe PID 1460 wrote to memory of 1412 1460 cmd.exe wevtutil.exe PID 1460 wrote to memory of 1412 1460 cmd.exe wevtutil.exe PID 1460 wrote to memory of 1412 1460 cmd.exe wevtutil.exe PID 1460 wrote to memory of 1412 1460 cmd.exe wevtutil.exe PID 1832 wrote to memory of 1364 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1364 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1364 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1364 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1376 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1376 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1376 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1376 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1628 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1628 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1628 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 1628 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 316 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 316 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 316 1832 taskmgr.exe cmd.exe PID 1832 wrote to memory of 316 1832 taskmgr.exe cmd.exe PID 1456 wrote to memory of 1640 1456 cmd.exe msg.exe PID 1456 wrote to memory of 1640 1456 cmd.exe msg.exe PID 1456 wrote to memory of 1640 1456 cmd.exe msg.exe PID 576 wrote to memory of 1596 576 cmd.exe msg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sqlservr.exe"C:\Users\Admin\AppData\Local\Temp\sqlservr.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\ProgramData__\taskmgr.exe"C:\Windows\ProgramData__\taskmgr.exe" C:\Users\Admin\AppData\Local\Temp\sqlservr.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops desktop.ini file(s)
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Application3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Security3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Setup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log System3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c assoc .redeem=redeemer3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\ProgramData__\rem.bat" "3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application4⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security4⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup4⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System4⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msg.exemsg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read Me.TXT1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msg.exemsg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read Me.TXT1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Read Me.TXTMD5
d09a32bc5fc4af6f1551a43979e91dc4
SHA154fbfd017467fc07e256e4178ead93335f8235a5
SHA256ce64c3d02d74c28bba52f7feee05236c11064e64f2a44a4d03b02f7c6e7a4bd4
SHA51245f75091380a17260a0d0eca73943432a41de756fbeb5a68e3f82f4010fce32c43f153e2f77c53e19fd3d20d63a622a15d7853928154ee106e740ee44814702a
-
C:\Windows\ProgramData__\rem.batMD5
53fab9da99799401986ad696370e63fa
SHA1c9aa68df133d393a9de0edc933ccd27e0c66e4b1
SHA256cf58baf666d762256b17bcc8274f02af598ecb7daa827e8725a3f47c09bf2824
SHA5124fd246f6148a6a0c07ec09a90df5f6d340471cbe6dba7995cc64df1488b62147bb57ef424c5824e425275859235a1b247d582a51b4e586c50ff6d9c6c1bf973d
-
C:\Windows\ProgramData__\taskmgr.exeMD5
e1338c42da2d2363afbbd0eeabad1ca9
SHA1fe5d669b732c9227bb25787083906f49b732c335
SHA25661c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e
SHA512bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a
-
\Windows\ProgramData__\taskmgr.exeMD5
e1338c42da2d2363afbbd0eeabad1ca9
SHA1fe5d669b732c9227bb25787083906f49b732c335
SHA25661c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e
SHA512bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a
-
memory/268-65-0x0000000000000000-mapping.dmp
-
memory/316-78-0x0000000000000000-mapping.dmp
-
memory/524-66-0x0000000000000000-mapping.dmp
-
memory/784-90-0x0000000000000000-mapping.dmp
-
memory/828-81-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/1068-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1092-91-0x0000000000000000-mapping.dmp
-
memory/1164-88-0x0000000000000000-mapping.dmp
-
memory/1364-75-0x0000000000000000-mapping.dmp
-
memory/1376-76-0x0000000000000000-mapping.dmp
-
memory/1412-74-0x0000000000000000-mapping.dmp
-
memory/1412-93-0x0000000000000000-mapping.dmp
-
memory/1460-73-0x0000000000000000-mapping.dmp
-
memory/1596-84-0x0000000000000000-mapping.dmp
-
memory/1608-86-0x0000000000000000-mapping.dmp
-
memory/1628-77-0x0000000000000000-mapping.dmp
-
memory/1636-89-0x0000000000000000-mapping.dmp
-
memory/1640-80-0x0000000000000000-mapping.dmp
-
memory/1680-72-0x0000000000000000-mapping.dmp
-
memory/1708-71-0x0000000000000000-mapping.dmp
-
memory/1712-68-0x0000000000000000-mapping.dmp
-
memory/1716-69-0x0000000000000000-mapping.dmp
-
memory/1740-92-0x0000000000000000-mapping.dmp
-
memory/1764-70-0x0000000000000000-mapping.dmp
-
memory/1832-62-0x0000000000000000-mapping.dmp
-
memory/1852-67-0x0000000000000000-mapping.dmp