bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d

General

Target

rdmr_svchost.exe
Size

1.8MB
MD5

e37a0ece30267233f1dddf3c2300393f
SHA1

27610367c41c1b8d3a26885b40fd7aac748189b2
SHA256

bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512

a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

1372 lsass.exe

pid	process
1372	lsass.exe

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

lsass.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\SplitUnlock.tif.redeem	lsass.exe
File created	C:\Users\Admin\Pictures\TraceJoin.png.redeem	lsass.exe
File created	C:\Users\Admin\Pictures\InitializeWatch.png.redeem	lsass.exe
File created	C:\Users\Admin\Pictures\OutWatch.crw.redeem	lsass.exe
File created	C:\Users\Admin\Pictures\RestoreNew.raw.redeem	lsass.exe
File created	C:\Users\Admin\Pictures\ResumePublish.raw.redeem	lsass.exe
File created	C:\Users\Admin\Pictures\OpenStart.tif.redeem	lsass.exe
File created	C:\Users\Admin\Pictures\SplitSkip.tiff.redeem	lsass.exe
File opened for modification	C:\Users\Admin\Pictures\MergeExpand.tiff	lsass.exe
File opened for modification	C:\Users\Admin\Pictures\SplitSkip.tiff	lsass.exe
File created	C:\Users\Admin\Pictures\LimitEnter.png.redeem	lsass.exe
File created	C:\Users\Admin\Pictures\MergeExpand.tiff.redeem	lsass.exe

Deletes itself 1 IoCs

Processes:

lsass.exe

pid process

1372 lsass.exe
Loads dropped DLL 1 IoCs

Processes:

rdmr_svchost.exe

pid process

1340 rdmr_svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1372	lsass.exe

pid	process
1340	rdmr_svchost.exe

Drops desktop.ini file(s) 17 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	lsass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	lsass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	lsass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	lsass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	lsass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	lsass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	lsass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	lsass.exe

Drops file in Windows directory 3 IoCs

Processes:

rdmr_svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ProgramData\lsass.exe	rdmr_svchost.exe
File opened for modification	C:\Windows\ProgramData\	rdmr_svchost.exe
File created	C:\Windows\ProgramData\lsass.exe	rdmr_svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1416 vssadmin.exe

pid	process
1416	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exelsass.exe

description	pid	process
Token: SeBackupPrivilege	1524	vssvc.exe
Token: SeRestorePrivilege	1524	vssvc.exe
Token: SeAuditPrivilege	1524	vssvc.exe
Token: SeSecurityPrivilege	1012	wevtutil.exe
Token: SeBackupPrivilege	1012	wevtutil.exe
Token: SeSecurityPrivilege	1824	wevtutil.exe
Token: SeBackupPrivilege	1824	wevtutil.exe
Token: SeSecurityPrivilege	1272	wevtutil.exe
Token: SeBackupPrivilege	1272	wevtutil.exe
Token: SeSecurityPrivilege	1136	wevtutil.exe
Token: SeBackupPrivilege	1136	wevtutil.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe
Token: SeTakeOwnershipPrivilege	1372	lsass.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

rdmr_svchost.exelsass.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 1372	1340	rdmr_svchost.exe	lsass.exe
PID 1340 wrote to memory of 1372	1340	rdmr_svchost.exe	lsass.exe
PID 1340 wrote to memory of 1372	1340	rdmr_svchost.exe	lsass.exe
PID 1340 wrote to memory of 1372	1340	rdmr_svchost.exe	lsass.exe
PID 1372 wrote to memory of 1504	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1504	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1504	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1504	1372	lsass.exe	cmd.exe
PID 1504 wrote to memory of 1416	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 1416	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 1416	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 1416	1504	cmd.exe	vssadmin.exe
PID 1372 wrote to memory of 1940	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1940	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1940	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1940	1372	lsass.exe	cmd.exe
PID 1940 wrote to memory of 1012	1940	cmd.exe	wevtutil.exe
PID 1940 wrote to memory of 1012	1940	cmd.exe	wevtutil.exe
PID 1940 wrote to memory of 1012	1940	cmd.exe	wevtutil.exe
PID 1940 wrote to memory of 1012	1940	cmd.exe	wevtutil.exe
PID 1372 wrote to memory of 2040	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 2040	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 2040	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 2040	1372	lsass.exe	cmd.exe
PID 2040 wrote to memory of 1824	2040	cmd.exe	wevtutil.exe
PID 2040 wrote to memory of 1824	2040	cmd.exe	wevtutil.exe
PID 2040 wrote to memory of 1824	2040	cmd.exe	wevtutil.exe
PID 2040 wrote to memory of 1824	2040	cmd.exe	wevtutil.exe
PID 1372 wrote to memory of 1708	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1708	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1708	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 1708	1372	lsass.exe	cmd.exe
PID 1708 wrote to memory of 1272	1708	cmd.exe	wevtutil.exe
PID 1708 wrote to memory of 1272	1708	cmd.exe	wevtutil.exe
PID 1708 wrote to memory of 1272	1708	cmd.exe	wevtutil.exe
PID 1708 wrote to memory of 1272	1708	cmd.exe	wevtutil.exe
PID 1372 wrote to memory of 820	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 820	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 820	1372	lsass.exe	cmd.exe
PID 1372 wrote to memory of 820	1372	lsass.exe	cmd.exe
PID 820 wrote to memory of 1136	820	cmd.exe	wevtutil.exe
PID 820 wrote to memory of 1136	820	cmd.exe	wevtutil.exe
PID 820 wrote to memory of 1136	820	cmd.exe	wevtutil.exe
PID 820 wrote to memory of 1136	820	cmd.exe	wevtutil.exe

C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe
"C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\ProgramData\lsass.exe
"C:\Windows\ProgramData\lsass.exe" C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
3⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Application
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Security
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Setup
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log System
3⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log System
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1

T1070

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ProgramData\lsass.exe
MD5
e37a0ece30267233f1dddf3c2300393f

SHA1
27610367c41c1b8d3a26885b40fd7aac748189b2

SHA256
bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d

SHA512
a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2

Download Submit
C:\Windows\ProgramData\lsass.exe
MD5
e37a0ece30267233f1dddf3c2300393f

SHA1
27610367c41c1b8d3a26885b40fd7aac748189b2

SHA256
bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d

SHA512
a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2

Download Submit
\Windows\ProgramData\lsass.exe
MD5
e37a0ece30267233f1dddf3c2300393f

SHA1
27610367c41c1b8d3a26885b40fd7aac748189b2

SHA256
bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d

SHA512
a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2

Download Submit
memory/820-68-0x0000000000000000-mapping.dmp

Download
memory/1012-63-0x0000000000000000-mapping.dmp

Download
memory/1136-69-0x0000000000000000-mapping.dmp

Download
memory/1272-67-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1372-56-0x0000000000000000-mapping.dmp

Download
memory/1416-61-0x0000000000000000-mapping.dmp

Download
memory/1504-60-0x0000000000000000-mapping.dmp

Download
memory/1708-66-0x0000000000000000-mapping.dmp

Download
memory/1824-65-0x0000000000000000-mapping.dmp

Download
memory/1940-62-0x0000000000000000-mapping.dmp

Download
memory/2040-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads