Analysis
-
max time kernel
149s -
max time network
34s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 19:55
Static task
static1
Behavioral task
behavioral1
Sample
rdmr_svchost.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
rdmr_svchost.exe
Resource
win10-en-20211014
General
-
Target
rdmr_svchost.exe
-
Size
1.8MB
-
MD5
e37a0ece30267233f1dddf3c2300393f
-
SHA1
27610367c41c1b8d3a26885b40fd7aac748189b2
-
SHA256
bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
-
SHA512
a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
lsass.exepid process 1372 lsass.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
lsass.exedescription ioc process File created C:\Users\Admin\Pictures\SplitUnlock.tif.redeem lsass.exe File created C:\Users\Admin\Pictures\TraceJoin.png.redeem lsass.exe File created C:\Users\Admin\Pictures\InitializeWatch.png.redeem lsass.exe File created C:\Users\Admin\Pictures\OutWatch.crw.redeem lsass.exe File created C:\Users\Admin\Pictures\RestoreNew.raw.redeem lsass.exe File created C:\Users\Admin\Pictures\ResumePublish.raw.redeem lsass.exe File created C:\Users\Admin\Pictures\OpenStart.tif.redeem lsass.exe File created C:\Users\Admin\Pictures\SplitSkip.tiff.redeem lsass.exe File opened for modification C:\Users\Admin\Pictures\MergeExpand.tiff lsass.exe File opened for modification C:\Users\Admin\Pictures\SplitSkip.tiff lsass.exe File created C:\Users\Admin\Pictures\LimitEnter.png.redeem lsass.exe File created C:\Users\Admin\Pictures\MergeExpand.tiff.redeem lsass.exe -
Deletes itself 1 IoCs
Processes:
lsass.exepid process 1372 lsass.exe -
Loads dropped DLL 1 IoCs
Processes:
rdmr_svchost.exepid process 1340 rdmr_svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 17 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini lsass.exe -
Drops file in Windows directory 3 IoCs
Processes:
rdmr_svchost.exedescription ioc process File opened for modification C:\Windows\ProgramData\lsass.exe rdmr_svchost.exe File opened for modification C:\Windows\ProgramData\ rdmr_svchost.exe File created C:\Windows\ProgramData\lsass.exe rdmr_svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1416 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exelsass.exedescription pid process Token: SeBackupPrivilege 1524 vssvc.exe Token: SeRestorePrivilege 1524 vssvc.exe Token: SeAuditPrivilege 1524 vssvc.exe Token: SeSecurityPrivilege 1012 wevtutil.exe Token: SeBackupPrivilege 1012 wevtutil.exe Token: SeSecurityPrivilege 1824 wevtutil.exe Token: SeBackupPrivilege 1824 wevtutil.exe Token: SeSecurityPrivilege 1272 wevtutil.exe Token: SeBackupPrivilege 1272 wevtutil.exe Token: SeSecurityPrivilege 1136 wevtutil.exe Token: SeBackupPrivilege 1136 wevtutil.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe Token: SeTakeOwnershipPrivilege 1372 lsass.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
rdmr_svchost.exelsass.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1340 wrote to memory of 1372 1340 rdmr_svchost.exe lsass.exe PID 1340 wrote to memory of 1372 1340 rdmr_svchost.exe lsass.exe PID 1340 wrote to memory of 1372 1340 rdmr_svchost.exe lsass.exe PID 1340 wrote to memory of 1372 1340 rdmr_svchost.exe lsass.exe PID 1372 wrote to memory of 1504 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1504 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1504 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1504 1372 lsass.exe cmd.exe PID 1504 wrote to memory of 1416 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 1416 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 1416 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 1416 1504 cmd.exe vssadmin.exe PID 1372 wrote to memory of 1940 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1940 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1940 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1940 1372 lsass.exe cmd.exe PID 1940 wrote to memory of 1012 1940 cmd.exe wevtutil.exe PID 1940 wrote to memory of 1012 1940 cmd.exe wevtutil.exe PID 1940 wrote to memory of 1012 1940 cmd.exe wevtutil.exe PID 1940 wrote to memory of 1012 1940 cmd.exe wevtutil.exe PID 1372 wrote to memory of 2040 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 2040 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 2040 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 2040 1372 lsass.exe cmd.exe PID 2040 wrote to memory of 1824 2040 cmd.exe wevtutil.exe PID 2040 wrote to memory of 1824 2040 cmd.exe wevtutil.exe PID 2040 wrote to memory of 1824 2040 cmd.exe wevtutil.exe PID 2040 wrote to memory of 1824 2040 cmd.exe wevtutil.exe PID 1372 wrote to memory of 1708 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1708 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1708 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 1708 1372 lsass.exe cmd.exe PID 1708 wrote to memory of 1272 1708 cmd.exe wevtutil.exe PID 1708 wrote to memory of 1272 1708 cmd.exe wevtutil.exe PID 1708 wrote to memory of 1272 1708 cmd.exe wevtutil.exe PID 1708 wrote to memory of 1272 1708 cmd.exe wevtutil.exe PID 1372 wrote to memory of 820 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 820 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 820 1372 lsass.exe cmd.exe PID 1372 wrote to memory of 820 1372 lsass.exe cmd.exe PID 820 wrote to memory of 1136 820 cmd.exe wevtutil.exe PID 820 wrote to memory of 1136 820 cmd.exe wevtutil.exe PID 820 wrote to memory of 1136 820 cmd.exe wevtutil.exe PID 820 wrote to memory of 1136 820 cmd.exe wevtutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe"C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\ProgramData\lsass.exe"C:\Windows\ProgramData\lsass.exe" C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Application3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Security3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Setup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log System3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\ProgramData\lsass.exeMD5
e37a0ece30267233f1dddf3c2300393f
SHA127610367c41c1b8d3a26885b40fd7aac748189b2
SHA256bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
-
C:\Windows\ProgramData\lsass.exeMD5
e37a0ece30267233f1dddf3c2300393f
SHA127610367c41c1b8d3a26885b40fd7aac748189b2
SHA256bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
-
\Windows\ProgramData\lsass.exeMD5
e37a0ece30267233f1dddf3c2300393f
SHA127610367c41c1b8d3a26885b40fd7aac748189b2
SHA256bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
-
memory/820-68-0x0000000000000000-mapping.dmp
-
memory/1012-63-0x0000000000000000-mapping.dmp
-
memory/1136-69-0x0000000000000000-mapping.dmp
-
memory/1272-67-0x0000000000000000-mapping.dmp
-
memory/1340-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1372-56-0x0000000000000000-mapping.dmp
-
memory/1416-61-0x0000000000000000-mapping.dmp
-
memory/1504-60-0x0000000000000000-mapping.dmp
-
memory/1708-66-0x0000000000000000-mapping.dmp
-
memory/1824-65-0x0000000000000000-mapping.dmp
-
memory/1940-62-0x0000000000000000-mapping.dmp
-
memory/2040-64-0x0000000000000000-mapping.dmp