61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

General

Target

sqlsrvr.exe
Size

1.8MB
MD5

e1338c42da2d2363afbbd0eeabad1ca9
SHA1

fe5d669b732c9227bb25787083906f49b732c335
SHA256

61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e
SHA512

bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

Score

10^/10

evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Read Me.TXT

Ransom Note

8888888b. 888 888 Y88b 888 888 888 888 888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 8888888P" d8P Y8b d88" 888 d8P Y8b d8P Y8b 888 "888 "88b d8P Y8b 888P" 888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 888 T88b "Y8888 "Y88888 "Y8888 "Y8888 888 888 888 "Y8888 888 Made by Cerebrate - Dread Forums TOR [http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/] [Q1] What happened, I cannot open my files and they have an odd extension? [A1] Your files have been encrypted by Redeemer, a new ransomware operation. [Q2] Is there any way to recover my files? [A2] Yes, you can recover your files. This will however cost you money in XMR (Monero). [Q3] Is there any any way to recover my files without paying? [A3] Without paying it is impossible your files. Redeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security. Without a proper key, you will never regain access to your files. [Q4] What is XMR (Monero)? [A4] It is a privacy oriented cryptocurrency. You can learn more about Monero on getmonero.org. You can view ways to purchase it on www.monero.how/how-to-buy-monero. [Q5] How will I decrypt my files? [A5] Follow the general instructions: -1. Buy 02 XMR. -2. Contact helpdecryptmyfiles@yandex.com and send the following key: -----BEGIN REDEEMER PUBLIC KEY----- NzVC7makqkwG9LP3D4IPTZSILwpVc5I8oDPB49BgWzamObWMQI dGgVXgMOc199uuc3SFJO7Egfu7LGIl5TB8eZpG/6Xa29XSDHGj UR/UoECaSVhz34NQ3xCKQ5N+FTA06rs8YGfmtutjLKhs6rwtA4 G6taUOM+VbLbx0CH8Bz0203kotIB9LVJ+Ilty1G3x6kgUZlWKQ jTJP9kF3dBNzAQUB2dedovqGo6KESBd3Y1IFFb1ismR5+rHooe FXwjyYhuJ9Mq0AZLnLwu8r5aSaR1Io0HiWBJd6DcvA3t8VXmcf /QsbjFr/h3MM77zNSswLuTOmD17HZjZR53UWbBMJkBzT3IPdUJ Z67A/Tzu7T2/wq4c9kDBOUgp/6iOLiAtnUVN5C1MVa24GN3z7F CjinB0Iq18FDt+XqOcSEFhFZcuG2kIWvfZy+eSbx8bD01f8Bpw 8ipMm/c92WupSvi72JULiEYU++m3iNhEL45rwLLIoDfvRbMEyX Y+t4LTwCromV6jigXpLl4QxYwMP8SOoAl5y7upELdVm2ej1igw 0oZgsFIpjrUQxa6Iq22WGTByxFCWmkFVm0dJL8xvZovmD9BJ8G Rf8mpzeheX6GTYSRBGK1/JyB3NVoZzvDy002bH4kC63qU6PBGo hvZjP4b15CKzc8hETEqYUBl5wnQbXJg+hwdA== -----END REDEEMER PUBLIC KEY----- -3. You will receive an XMR address where you will need to pay the requested amount of Monero. -4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal.

Emails

helpdecryptmyfiles@yandex.com

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1456 svchost.exe

pid	process
1456	svchost.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\CheckpointBlock.crw.redeem	svchost.exe
File created	C:\Users\Admin\Pictures\UndoEnter.raw.redeem	svchost.exe
File created	C:\Users\Admin\Pictures\InitializeRequest.tif.redeem	svchost.exe
File created	C:\Users\Admin\Pictures\SelectEdit.raw.redeem	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sqlsrvr.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation sqlsrvr.exe
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1456 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	sqlsrvr.exe

pid	process
1456	svchost.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 02 XMR.\n-2. Contact helpdecryptmyfiles@yandex.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNzVC7makqkwG9LP3D4IPTZSILwpVc5I8oDPB49BgWzamObWMQI\ndGgVXgMOc199uuc3SFJO7Egfu7LGIl5TB8eZpG/6Xa29XSDHGj\nUR/UoECaSVhz34NQ3xCKQ5N+FTA06rs8YGfmtutjLKhs6rwtA4\nG6taUOM+VbLbx0CH8Bz0203kotIB9LVJ+Ilty1G3x6kgUZlWKQ\njTJP9kF3dBNzAQUB2dedovqGo6KESBd3Y1IFFb1ismR5+rHooe\nFXwjyYhuJ9Mq0AZLnLwu8r5aSaR1Io0HiWBJd6DcvA3t8VXmcf\n/QsbjFr/h3MM77zNSswLuTOmD17HZjZR53UWbBMJkBzT3IPdUJ\nZ67A/Tzu7T2/wq4c9kDBOUgp/6iOLiAtnUVN5C1MVa24GN3z7F\nCjinB0Iq18FDt+XqOcSEFhFZcuG2kIWvfZy+eSbx8bD01f8Bpw\n8ipMm/c92WupSvi72JULiEYU++m3iNhEL45rwLLIoDfvRbMEyX\nY+t4LTwCromV6jigXpLl4QxYwMP8SOoAl5y7upELdVm2ej1igw\n0oZgsFIpjrUQxa6Iq22WGTByxFCWmkFVm0dJL8xvZovmD9BJ8G\nRf8mpzeheX6GTYSRBGK1/JyB3NVoZzvDy002bH4kC63qU6PBGo\nhvZjP4b15CKzc8hETEqYUBl5wnQbXJg+hwdA==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 02 XMR.\n-2. Contact helpdecryptmyfiles@yandex.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNzVC7makqkwG9LP3D4IPTZSILwpVc5I8oDPB49BgWzamObWMQI\ndGgVXgMOc199uuc3SFJO7Egfu7LGIl5TB8eZpG/6Xa29XSDHGj\nUR/UoECaSVhz34NQ3xCKQ5N+FTA06rs8YGfmtutjLKhs6rwtA4\nG6taUOM+VbLbx0CH8Bz0203kotIB9LVJ+Ilty1G3x6kgUZlWKQ\njTJP9kF3dBNzAQUB2dedovqGo6KESBd3Y1IFFb1ismR5+rHooe\nFXwjyYhuJ9Mq0AZLnLwu8r5aSaR1Io0HiWBJd6DcvA3t8VXmcf\n/QsbjFr/h3MM77zNSswLuTOmD17HZjZR53UWbBMJkBzT3IPdUJ\nZ67A/Tzu7T2/wq4c9kDBOUgp/6iOLiAtnUVN5C1MVa24GN3z7F\nCjinB0Iq18FDt+XqOcSEFhFZcuG2kIWvfZy+eSbx8bD01f8Bpw\n8ipMm/c92WupSvi72JULiEYU++m3iNhEL45rwLLIoDfvRbMEyX\nY+t4LTwCromV6jigXpLl4QxYwMP8SOoAl5y7upELdVm2ej1igw\n0oZgsFIpjrUQxa6Iq22WGTByxFCWmkFVm0dJL8xvZovmD9BJ8G\nRf8mpzeheX6GTYSRBGK1/JyB3NVoZzvDy002bH4kC63qU6PBGo\nhvZjP4b15CKzc8hETEqYUBl5wnQbXJg+hwdA==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal."	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

sqlsrvr.exe

description	ioc	process
File opened for modification	C:\Windows\ProgramData__\	sqlsrvr.exe
File created	C:\Windows\ProgramData__\svchost.exe	sqlsrvr.exe
File opened for modification	C:\Windows\ProgramData__\svchost.exe	sqlsrvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1092 vssadmin.exe

pid	process
1092	vssadmin.exe

Modifies registry class 8 IoCs

Processes:

sqlsrvr.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	sqlsrvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command\ = "\"C:\\Windows\\system32\\cmd.exe\" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file."	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.redeem	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.redeem\ = "redeemer"	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exesvchost.exe

description	pid	process
Token: SeBackupPrivilege	344	vssvc.exe
Token: SeRestorePrivilege	344	vssvc.exe
Token: SeAuditPrivilege	344	vssvc.exe
Token: SeSecurityPrivilege	1764	wevtutil.exe
Token: SeBackupPrivilege	1764	wevtutil.exe
Token: SeSecurityPrivilege	1052	wevtutil.exe
Token: SeBackupPrivilege	1052	wevtutil.exe
Token: SeSecurityPrivilege	1164	wevtutil.exe
Token: SeBackupPrivilege	1164	wevtutil.exe
Token: SeSecurityPrivilege	2084	wevtutil.exe
Token: SeBackupPrivilege	2084	wevtutil.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe
Token: SeTakeOwnershipPrivilege	1456	svchost.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

sqlsrvr.exesvchost.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2148 wrote to memory of 1456	2148	sqlsrvr.exe	svchost.exe
PID 2148 wrote to memory of 1456	2148	sqlsrvr.exe	svchost.exe
PID 2148 wrote to memory of 1456	2148	sqlsrvr.exe	svchost.exe
PID 1456 wrote to memory of 2224	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 2224	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 2224	1456	svchost.exe	cmd.exe
PID 2224 wrote to memory of 1092	2224	cmd.exe	vssadmin.exe
PID 2224 wrote to memory of 1092	2224	cmd.exe	vssadmin.exe
PID 2224 wrote to memory of 1092	2224	cmd.exe	vssadmin.exe
PID 1456 wrote to memory of 3524	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 3524	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 3524	1456	svchost.exe	cmd.exe
PID 3524 wrote to memory of 1764	3524	cmd.exe	wevtutil.exe
PID 3524 wrote to memory of 1764	3524	cmd.exe	wevtutil.exe
PID 3524 wrote to memory of 1764	3524	cmd.exe	wevtutil.exe
PID 1456 wrote to memory of 3252	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 3252	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 3252	1456	svchost.exe	cmd.exe
PID 3252 wrote to memory of 1052	3252	cmd.exe	wevtutil.exe
PID 3252 wrote to memory of 1052	3252	cmd.exe	wevtutil.exe
PID 3252 wrote to memory of 1052	3252	cmd.exe	wevtutil.exe
PID 1456 wrote to memory of 3600	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 3600	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 3600	1456	svchost.exe	cmd.exe
PID 3600 wrote to memory of 1164	3600	cmd.exe	wevtutil.exe
PID 3600 wrote to memory of 1164	3600	cmd.exe	wevtutil.exe
PID 3600 wrote to memory of 1164	3600	cmd.exe	wevtutil.exe
PID 1456 wrote to memory of 1068	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1068	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1068	1456	svchost.exe	cmd.exe
PID 1068 wrote to memory of 2084	1068	cmd.exe	wevtutil.exe
PID 1068 wrote to memory of 2084	1068	cmd.exe	wevtutil.exe
PID 1068 wrote to memory of 2084	1068	cmd.exe	wevtutil.exe
PID 1456 wrote to memory of 1168	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1168	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1168	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1524	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1524	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1524	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1464	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1464	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1464	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1476	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1476	1456	svchost.exe	cmd.exe
PID 1456 wrote to memory of 1476	1456	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\sqlsrvr.exe
"C:\Users\Admin\AppData\Local\Temp\sqlsrvr.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\ProgramData__\svchost.exe
"C:\Windows\ProgramData__\svchost.exe" C:\Users\Admin\AppData\Local\Temp\sqlsrvr.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
3⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Application
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
3⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Security
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
3⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Setup
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log System
3⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log System
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
3⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet
3⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
3⤵
- Modifies registry class
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c assoc .redeem=redeemer
3⤵
- Modifies registry class
PID:1476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1

T1070

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ProgramData__\svchost.exe
MD5
e1338c42da2d2363afbbd0eeabad1ca9

SHA1
fe5d669b732c9227bb25787083906f49b732c335

SHA256
61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

SHA512
bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

Download Submit
C:\Windows\ProgramData__\svchost.exe
MD5
e1338c42da2d2363afbbd0eeabad1ca9

SHA1
fe5d669b732c9227bb25787083906f49b732c335

SHA256
61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e

SHA512
bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a

Download Submit
memory/1052-123-0x0000000000000000-mapping.dmp

Download
memory/1068-126-0x0000000000000000-mapping.dmp

Download
memory/1092-119-0x0000000000000000-mapping.dmp

Download
memory/1164-125-0x0000000000000000-mapping.dmp

Download
memory/1168-128-0x0000000000000000-mapping.dmp

Download
memory/1456-115-0x0000000000000000-mapping.dmp

Download
memory/1464-130-0x0000000000000000-mapping.dmp

Download
memory/1476-131-0x0000000000000000-mapping.dmp

Download
memory/1524-129-0x0000000000000000-mapping.dmp

Download
memory/1764-121-0x0000000000000000-mapping.dmp

Download
memory/2084-127-0x0000000000000000-mapping.dmp

Download
memory/2224-118-0x0000000000000000-mapping.dmp

Download
memory/3252-122-0x0000000000000000-mapping.dmp

Download
memory/3524-120-0x0000000000000000-mapping.dmp

Download
memory/3600-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads