Overview

overview

9

Static

static

rdmr_svchost.exe

windows7_x64

9

rdmr_svchost.exe

windows10_x64

9

Analysis

  • max time kernel
    124s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    19-10-2021 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rdmr_svchost.exe

  • Size

    1.8MB

  • MD5

    e37a0ece30267233f1dddf3c2300393f

  • SHA1

    27610367c41c1b8d3a26885b40fd7aac748189b2

  • SHA256

    bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d

  • SHA512

    a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2

Score
9/10
evasionransomwarespywarestealer

Malware Config

Signatures

  • Clears Windows event logs 1 TTPs
    evasionransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\WIN_TEMP\conhost.exe
      "C:\Windows\WIN_TEMP\conhost.exe" C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Deletes itself
      • Drops desktop.ini file(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin delete shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:3332
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Application
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2624
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Security
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1448
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log Setup
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2168
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil clear-log System
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil clear-log System
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1444
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1
T1070

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\WIN_TEMP\conhost.exe
    MD5

    e37a0ece30267233f1dddf3c2300393f

    SHA1

    27610367c41c1b8d3a26885b40fd7aac748189b2

    SHA256

    bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d

    SHA512

    a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2

    Download Submit
  • C:\Windows\WIN_TEMP\conhost.exe
    MD5

    e37a0ece30267233f1dddf3c2300393f

    SHA1

    27610367c41c1b8d3a26885b40fd7aac748189b2

    SHA256

    bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d

    SHA512

    a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2

    Download Submit
  • memory/364-120-0x0000000000000000-mapping.dmp
    Download
  • memory/1268-126-0x0000000000000000-mapping.dmp
    Download
  • memory/1292-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1444-127-0x0000000000000000-mapping.dmp
    Download
  • memory/1448-123-0x0000000000000000-mapping.dmp
    Download
  • memory/1916-118-0x0000000000000000-mapping.dmp
    Download
  • memory/2168-125-0x0000000000000000-mapping.dmp
    Download
  • memory/2524-122-0x0000000000000000-mapping.dmp
    Download
  • memory/2624-121-0x0000000000000000-mapping.dmp
    Download
  • memory/3332-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3956-124-0x0000000000000000-mapping.dmp
    Download