Overview

overview

10

Static

static

rdmr_3.exe

windows7_x64

10

rdmr_3.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    19-10-2021 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rdmr_3.exe

  • Size

    1.8MB

  • MD5

    00c227b93837e5e5f7f24509459a0216

  • SHA1

    8148f3df22b82dbdf664ff5e343bb053f01830b7

  • SHA256

    0d93bc5a94ff11a3221e186b6fe8ee28aed9f2f1db2413e6562f43bc7f23786f

  • SHA512

    574b1fdc7505aa597b078828d7559982e4b506c49466f2600b0dfcf4ba3584581df35e5c7baa91ddda97052c6e34d146d8d1e0457269f18ac7799deb9ef069db

Score
10/10
evasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Read Me.TXT

Ransom Note
8888888b. 888 888 Y88b 888 888 888 888 888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 8888888P" d8P Y8b d88" 888 d8P Y8b d8P Y8b 888 "888 "88b d8P Y8b 888P" 888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 888 T88b "Y8888 "Y88888 "Y8888 "Y8888 888 888 888 "Y8888 888 Made by Cerebrate - Dread Forums TOR [http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/] [Q1] What happened, I cannot open my files and they have an odd extension? [A1] Your files have been encrypted by Redeemer, a new ransomware operation. [Q2] Is there any way to recover my files? [A2] Yes, you can recover your files. This will however cost you money in XMR (Monero). [Q3] Is there any any way to recover my files without paying? [A3] Without paying it is impossible your files. Redeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security. Without a proper key, you will never regain access to your files. [Q4] What is XMR (Monero)? [A4] It is a privacy oriented cryptocurrency. You can learn more about Monero on getmonero.org. You can view ways to purchase it on www.monero.how/how-to-buy-monero. [Q5] How will I decrypt my files? [A5] Follow the general instructions: -1. Buy 32 XMR. -2. Contact aloop@protonmail.com and send the following key: -----BEGIN REDEEMER PUBLIC KEY----- NzaJFJgPWKxTXBO+KIEgZCxcMhSY8ZVM6JZj4ANMtr+FLRCDar wRC6/9thIhlrgN3Rn0pG3w/nNv/+L40n6DPpubWLqwuFAcrpoq unujNCGmdwamZUsPhV1l7HMLASXTx27tGyGkJfXoN2Y1/8gQ8W HOQ+MIyCzKU0dDkN/ifGmw6+GZrk7KOEDj0nlWtbLWHekZLs9c Fu0bh3NskwnwQzgzvh8Mk6Bngi+HXhp9IVSy13qlG+Vxmb3Xqa 91nRuf5ehsXEF756G5vC1khfqxYCoTidhQarEueQkNzZwjyKyo LkL+KxlqhDaeOq82sypzuI0Y7o5m0pY9194NM1z1wxHhWovGeL 6sNtrk9MBz2o3G9UrDn1H3LBrvkW2Fd04wVD1x+xkoiv2UBxB5 Is+OnmXUmGD6Mq1TqsVoljGlVV3PgOSPfT8nNNyEuHdEru+B7a dvjsq48/2p/PIR2zRhcHZVsE7WmiU1IP0ErWVq2B+wBZJjkM0F SkSIefMv9pV+tixsrD+FlmuDCAB12VTipcEkuRLiT8GAWAyAEF d11MAmomJc0aNfRp2230Ki6iISyihGntK2u84sQaDQXQfyO+RU TdonPgGGqY25r95GLV3WABiSPmDJCbIJ3IjTOgbQLVWCf6eWoz BhMHI2RASREC0eH4t+v+E2O7ExENzaBYS8Pw== -----END REDEEMER PUBLIC KEY----- -3. You will receive an XMR address where you will need to pay the requested amount of Monero. -4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal.
Emails

aloop@protonmail.com

Signatures

  • Clears Windows event logs 1 TTPs
    evasionransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 13 IoCs
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rdmr_3.exe
    "C:\Users\Admin\AppData\Local\Temp\rdmr_3.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies WinLogon
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil clear-log Application
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil clear-log Security
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil clear-log Setup
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil clear-log System
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil clear-log System
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
      2⤵
        PID:1964
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet
        2⤵
          PID:696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
          2⤵
          • Modifies registry class
          PID:720
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c assoc .redeem=redeemer
          2⤵
          • Modifies registry class
          PID:372
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3172

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Privilege Escalation

      Defense Evasion

      Indicator Removal on Host

      1
      T1070

      File Deletion

      2
      T1107

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/368-115-0x0000000000000000-mapping.dmp
        Download
      • memory/372-128-0x0000000000000000-mapping.dmp
        Download
      • memory/404-116-0x0000000000000000-mapping.dmp
        Download
      • memory/696-126-0x0000000000000000-mapping.dmp
        Download
      • memory/720-127-0x0000000000000000-mapping.dmp
        Download
      • memory/1048-118-0x0000000000000000-mapping.dmp
        Download
      • memory/1072-124-0x0000000000000000-mapping.dmp
        Download
      • memory/1964-125-0x0000000000000000-mapping.dmp
        Download
      • memory/2156-123-0x0000000000000000-mapping.dmp
        Download
      • memory/2160-119-0x0000000000000000-mapping.dmp
        Download
      • memory/2500-122-0x0000000000000000-mapping.dmp
        Download
      • memory/2648-121-0x0000000000000000-mapping.dmp
        Download
      • memory/2856-120-0x0000000000000000-mapping.dmp
        Download
      • memory/3348-117-0x0000000000000000-mapping.dmp
        Download