Analysis
-
max time kernel
124s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 19:55
Static task
static1
Behavioral task
behavioral1
Sample
rdmr_svchost.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
rdmr_svchost.exe
Resource
win10-en-20211014
General
-
Target
rdmr_svchost.exe
-
Size
1.8MB
-
MD5
e37a0ece30267233f1dddf3c2300393f
-
SHA1
27610367c41c1b8d3a26885b40fd7aac748189b2
-
SHA256
bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
-
SHA512
a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
conhost.exepid process 1292 conhost.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
conhost.exedescription ioc process File created C:\Users\Admin\Pictures\SkipHide.crw.redeem conhost.exe File created C:\Users\Admin\Pictures\SkipInitialize.tiff.redeem conhost.exe File created C:\Users\Admin\Pictures\InitializeMount.crw.redeem conhost.exe File opened for modification C:\Users\Admin\Pictures\SkipInitialize.tiff conhost.exe File opened for modification C:\Users\Admin\Pictures\UseShow.tiff conhost.exe File created C:\Users\Admin\Pictures\FormatRename.png.redeem conhost.exe File created C:\Users\Admin\Pictures\UseShow.tiff.redeem conhost.exe File created C:\Users\Admin\Pictures\WatchBackup.tif.redeem conhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rdmr_svchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation rdmr_svchost.exe -
Deletes itself 1 IoCs
Processes:
conhost.exepid process 1292 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini conhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini conhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini conhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini conhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini conhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
rdmr_svchost.exedescription ioc process File opened for modification C:\Windows\WIN_TEMP\ rdmr_svchost.exe File created C:\Windows\WIN_TEMP\conhost.exe rdmr_svchost.exe File opened for modification C:\Windows\WIN_TEMP\conhost.exe rdmr_svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3332 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
rdmr_svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance rdmr_svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.execonhost.exedescription pid process Token: SeBackupPrivilege 592 vssvc.exe Token: SeRestorePrivilege 592 vssvc.exe Token: SeAuditPrivilege 592 vssvc.exe Token: SeSecurityPrivilege 2624 wevtutil.exe Token: SeBackupPrivilege 2624 wevtutil.exe Token: SeSecurityPrivilege 1448 wevtutil.exe Token: SeBackupPrivilege 1448 wevtutil.exe Token: SeSecurityPrivilege 2168 wevtutil.exe Token: SeBackupPrivilege 2168 wevtutil.exe Token: SeSecurityPrivilege 1444 wevtutil.exe Token: SeBackupPrivilege 1444 wevtutil.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe Token: SeTakeOwnershipPrivilege 1292 conhost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
rdmr_svchost.execonhost.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2188 wrote to memory of 1292 2188 rdmr_svchost.exe conhost.exe PID 2188 wrote to memory of 1292 2188 rdmr_svchost.exe conhost.exe PID 2188 wrote to memory of 1292 2188 rdmr_svchost.exe conhost.exe PID 1292 wrote to memory of 1916 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 1916 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 1916 1292 conhost.exe cmd.exe PID 1916 wrote to memory of 3332 1916 cmd.exe vssadmin.exe PID 1916 wrote to memory of 3332 1916 cmd.exe vssadmin.exe PID 1916 wrote to memory of 3332 1916 cmd.exe vssadmin.exe PID 1292 wrote to memory of 364 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 364 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 364 1292 conhost.exe cmd.exe PID 364 wrote to memory of 2624 364 cmd.exe wevtutil.exe PID 364 wrote to memory of 2624 364 cmd.exe wevtutil.exe PID 364 wrote to memory of 2624 364 cmd.exe wevtutil.exe PID 1292 wrote to memory of 2524 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 2524 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 2524 1292 conhost.exe cmd.exe PID 2524 wrote to memory of 1448 2524 cmd.exe wevtutil.exe PID 2524 wrote to memory of 1448 2524 cmd.exe wevtutil.exe PID 2524 wrote to memory of 1448 2524 cmd.exe wevtutil.exe PID 1292 wrote to memory of 3956 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 3956 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 3956 1292 conhost.exe cmd.exe PID 3956 wrote to memory of 2168 3956 cmd.exe wevtutil.exe PID 3956 wrote to memory of 2168 3956 cmd.exe wevtutil.exe PID 3956 wrote to memory of 2168 3956 cmd.exe wevtutil.exe PID 1292 wrote to memory of 1268 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 1268 1292 conhost.exe cmd.exe PID 1292 wrote to memory of 1268 1292 conhost.exe cmd.exe PID 1268 wrote to memory of 1444 1268 cmd.exe wevtutil.exe PID 1268 wrote to memory of 1444 1268 cmd.exe wevtutil.exe PID 1268 wrote to memory of 1444 1268 cmd.exe wevtutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe"C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\WIN_TEMP\conhost.exe"C:\Windows\WIN_TEMP\conhost.exe" C:\Users\Admin\AppData\Local\Temp\rdmr_svchost.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Application3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Security3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Setup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log System3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\WIN_TEMP\conhost.exeMD5
e37a0ece30267233f1dddf3c2300393f
SHA127610367c41c1b8d3a26885b40fd7aac748189b2
SHA256bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
-
C:\Windows\WIN_TEMP\conhost.exeMD5
e37a0ece30267233f1dddf3c2300393f
SHA127610367c41c1b8d3a26885b40fd7aac748189b2
SHA256bb7e2066f53bdbb8e93edfa8e900d5be3e2d00ca0a59f9feaa8b8107db7a5d4d
SHA512a0e5ceafb39f9ad3774d6a250646bae5f5595c1330bef3df7d448778ee519bc35ce221526c1a4d3db88107b5ccf1b465eef11e5b00cfc680bcdb9cea92ba87c2
-
memory/364-120-0x0000000000000000-mapping.dmp
-
memory/1268-126-0x0000000000000000-mapping.dmp
-
memory/1292-115-0x0000000000000000-mapping.dmp
-
memory/1444-127-0x0000000000000000-mapping.dmp
-
memory/1448-123-0x0000000000000000-mapping.dmp
-
memory/1916-118-0x0000000000000000-mapping.dmp
-
memory/2168-125-0x0000000000000000-mapping.dmp
-
memory/2524-122-0x0000000000000000-mapping.dmp
-
memory/2624-121-0x0000000000000000-mapping.dmp
-
memory/3332-119-0x0000000000000000-mapping.dmp
-
memory/3956-124-0x0000000000000000-mapping.dmp