Malware Analysis Report

2024-09-22 16:37

Sample ID 240121-lkpnhaaedm
Target 6cf72f5fcd8496749d957f99e8b7489d
SHA256 5edbbf6443f06a4c257794934ceccddef65cbc68fd0e779a11b1496ae9e51eeb
Tags
babadeda sodinokibi crypter discovery evasion loader persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5edbbf6443f06a4c257794934ceccddef65cbc68fd0e779a11b1496ae9e51eeb

Threat Level: Known bad

The file 6cf72f5fcd8496749d957f99e8b7489d was found to be: Known bad.

Malicious Activity Summary

babadeda sodinokibi crypter discovery evasion loader persistence ransomware

Babadeda

Sodin,Sodinokibi,REvil

Babadeda Crypter

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Enumerates connected drives

Adds Run key to start application

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-21 09:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 09:35

Reported

2024-01-21 09:38

Platform

win7-20231129-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Roaming\\R-Tools Technology\\R-Drive Image\\rimage.exe" C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\234287.bmp" C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ConvertFromMove.ADT C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\GetSuspend.gif C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\RestartEnable.aif C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\UnregisterSuspend.vsx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\CloseConvertFrom.emf C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\GetUndo.vsd C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\LimitJoin.xltx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\UnregisterRestore.bmp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files\tmp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files\r114f-readme.txt C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\ExportInstall.odt C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\SuspendDismount.wax C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\r114f-readme.txt C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\AssertRename.mp4 C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\CompleteSwitch.midi C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\RepairMerge.dotm C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\r114f-readme.txt C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\ApproveClose.wma C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\ExpandExit.rar C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\MoveClose.aif C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\PopRestore.ps1xml C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\StepUnlock.asp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\StopExpand.3gpp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\CloseCompress.xlsm C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\ConnectWait.ps1xml C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\MeasureProtect.inf C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\MountConvert.mov C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\RestartMerge.easmx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\StepBackup.mp4v C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\r114f-readme.txt C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\ApprovePing.wma C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\EnterDisable.mp4 C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\ImportPing.M2V C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\ReceiveApprove.mp3 C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\WatchHide.shtml C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\tmp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\AddCheckpoint.sql C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\BackupExport.001 C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\RenameHide.cfg C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\ResetMeasure.ppsm C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\r114f-readme.txt C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe

"C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe

"C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 partnertaxi.sk udp
US 8.8.8.8:53 bodyforwife.com udp
US 173.230.249.203:443 bodyforwife.com tcp
US 173.230.249.203:443 bodyforwife.com tcp
US 8.8.8.8:53 parking.netgateway.eu udp
DE 91.210.226.175:443 parking.netgateway.eu tcp
DE 91.210.226.175:443 parking.netgateway.eu tcp
US 8.8.8.8:53 freie-baugutachterpraxis.de udp
FR 92.205.52.135:443 freie-baugutachterpraxis.de tcp
FR 92.205.52.135:443 freie-baugutachterpraxis.de tcp
US 8.8.8.8:53 geekwork.pl udp
PL 94.154.117.119:443 geekwork.pl tcp
PL 94.154.117.119:443 geekwork.pl tcp
US 8.8.8.8:53 alsace-first.com udp
FR 213.186.33.4:443 alsace-first.com tcp
FR 213.186.33.4:443 alsace-first.com tcp
US 8.8.8.8:53 jiloc.com udp
CN 116.153.39.128:443 jiloc.com tcp
CN 119.188.49.80:443 jiloc.com tcp
CN 120.233.179.100:443 jiloc.com tcp
CN 218.11.1.241:443 jiloc.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 64edeea9d5b5bbe49b4c22666353ee60
SHA1 b312e5785ea31da217f1858820555856e4393466
SHA256 7cb61a6fbdab9246b7ea368895a4cd928da5d3c61371cf14f3ac2fe39402f9db
SHA512 34189dfd28ec90e52f5ef4a6e92ee75b8af7ae04b9592324dcce740fdfa2652e5bdf0dccc712d5922322358f518375d0e70ae394045b0bdb7567ad97839e4ab4

\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe

MD5 55a168591b68d1b1fa8af89afa4c81a5
SHA1 31db0c6178cf09710ddb9bfc5e1f15584b7cf401
SHA256 25449d5ff157eee41449559913721f1a23a7ca4fc427f141a4adc5b0a473d112
SHA512 29795bffff93b57e37971af5239efad6d7007ca30ec94499681a5e2c192626cc6cf7ec49b096ef30b5cb910ea30d6df9d007c2259afca97fa921ad771f7de11b

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe

MD5 49186898dca05292964da2db3eb23b90
SHA1 b29a90983485462127ada8db02bdb2cb862d95a5
SHA256 bfcfdf1f04335ad9e99697d7c3cf5f5ebf261dbea68d892f642c1547e3862ab3
SHA512 813450c9ec94b131816f7aecf105b46f31a70b9f2c69bf5132ca2586eaf138ea90eacb686a96a0a6e5b42b3534b052ea2d334aeb08a0b440337be1cb09643692

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe

MD5 a8c922bc3e540279effd3f7412a83c30
SHA1 b1f26c253a72af772063b6c910c053fe6c8dd2ad
SHA256 875bedb03db4f4ae6b70108f4cdce4e783ceaa2b3eff86b1299992be7ec3ab7f
SHA512 05670248530198d43f5df0e3f916410e0fc77838c0008440cc2ed0128041b51fe52486694af58be276ae812a96d2d0d72f23a23b5c39d808369f64a32bc028ad

memory/1884-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2268-424-0x00000000001B0000-0x0000000000958000-memory.dmp

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll

MD5 5a68fd557132bcbf3f9bb80124b84d42
SHA1 fd466abe54eef900288a7dc306df1bca4d378adb
SHA256 324d933119931529d77e9517f4e5634dc4d4289ddeccf89051a7451cc0bd27a0
SHA512 a89fec0dda2ec7b28917fb136df7ed7e9e4802eafafa7f78e152f8ccb15cc6503b1729ce59f346a4fa8173d0bb9606d11d47d01908872c57cb9fe1b0bdf7fc33

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml

MD5 3f517c15e8b924be1ab285723de6fbf9
SHA1 a89c94cddd6247805b62314bf5f93b0ef0e24b4d
SHA256 b53e6b3f1308152656ba75fa329264364d52f86dc0b21992f0441831231de1b5
SHA512 45156505decd0cd53dc9bf2575717e566fdc7ed239ec2d1233ac629f56b228795949bdae5533e3ec42b96fb1c5ae503133d6a32dba08a9e8744a0a3c59615af6

\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll

MD5 f382cc5361fde9d0155cb417f1fd08ea
SHA1 da046912f69fa7cc8e517bc4d1782656c84fd601
SHA256 63ce6b191ff646ecb295c6018665c663e8253a58bb933f11ce66be6afc4d442c
SHA512 3753ee46865ec536e4915389ca5194768719e4e915b06b9ba1721eb2b55d4216053ade2a4fb4b43013f1bb6e62ab7f8ced7ff917c84872a03d972b5cbffa4324

memory/2268-428-0x00000000001B0000-0x0000000000958000-memory.dmp

C:\Users\r114f-readme.txt

MD5 37d5ab65c80b0f454a8069114eed7f51
SHA1 42ca02f25b402ff48c526edb91eb192ffb72eac5
SHA256 5a22c6d02cee6c116bfe198b82eed0bedcce40cd998efde538b21268c6a453fb
SHA512 90238cd1502e2f9ab8b8f1605eb8b6167786238d906f7d55b84b4f17e6991c3aa0a79515679370a6727422f12661dcffcbb338dac0f8c9513b33253ed4cacea6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 09:35

Reported

2024-01-21 09:38

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Roaming\\R-Tools Technology\\R-Drive Image\\rimage.exe" C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8x3s56lgg7.bmp" C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\DisconnectOut.wmx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\StopGrant.pcx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\SwitchUnregister.001 C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\RedoSearch.mov C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\BlockStart.wpl C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\GrantEdit.i64 C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\PingUnregister.vsx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\SyncHide.mp4 C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\UnprotectConvertTo.iso C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\WaitRead.pot C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\CloseRead.ppsx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\PingRepair.vsdx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\SwitchInitialize.wps C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\DenyComplete.js C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\EnableDeny.dxf C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\JoinInstall.docx C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\UnpublishRequest.vsdm C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\MeasureAssert.vbe C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\StartDismount.vdw C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\SuspendConvert.xltm C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\WaitExpand.temp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\CheckpointComplete.tiff C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\HideReceive.dib C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\SuspendMerge.vst C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\UpdateExit.zip C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files\tmp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files\zzrd1r7t1-readme.txt C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\RenameMerge.aiff C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\BlockUndo.xht C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\tmp C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File created \??\c:\program files (x86)\zzrd1r7t1-readme.txt C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
File opened for modification \??\c:\program files\BlockTrace.rm C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe

"C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe

"C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 partnertaxi.sk udp
US 8.8.8.8:53 bodyforwife.com udp
US 173.230.249.203:443 bodyforwife.com tcp
US 8.8.8.8:53 jamesfell.com udp
US 173.230.249.203:443 jamesfell.com tcp
US 8.8.8.8:53 203.249.230.173.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 3cee4866f4be8aa2d1874953f1ed82b1
SHA1 fd3d6d890d104d00e6ff54ad2cb498ac6ea16c97
SHA256 42a3880731d9a79a0c3c7e5c54f6b44583d9ac7c826ffd000f21e42827e911d4
SHA512 d312fbadf17d7b9ac9c31c87d984b4bfc290350a0ae07cd784ebb80ec5d1ec5e7ab5b6a9dd205d795b0a65d4c4c62c2f1e8d6f494cfa8501a8865efaa3e7a24a

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe

MD5 e87ba29ce7cce2c4b47b457e6aeb0627
SHA1 3e1b0310d35f53810b708a32bbf82e98df2b81db
SHA256 24d7f0fa99146f608c920deaad20039c25b11d7b309ad53139a18fc3c7e8249c
SHA512 0e58cfefffcd576f2520c3ac76808d1871c9c2dd5562d24d6889e9d7a8cb9573b5906ee15824a5042dc3f6a63bd934d6718a091a839c529813fc71f31b41401b

memory/1200-428-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe

MD5 38ba8cb4226ec7b129b4463fd0bf319a
SHA1 6166e9a11a38fef6a197fcaee7b61dfa27976858
SHA256 caa362e600619f3d397a44380e9171b43975f4cf3dec54e577610ee070f97717
SHA512 6dbb93618e9ace27e3010e2291e420a8ff87d1449cb5a7ebc6f238c1d117c4d8b11397efd9e478758892055975ac5a73e849f61fed155cb366df523d2b07b7b1

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe

MD5 41506e2515428be8a44da2fbbd440657
SHA1 361553936ee423b7e170111d7fd3b67d119fbdba
SHA256 9b7fb441def61bbbc6630856c3fcd9ddc921d2add8924ba6df9592b3f586f706
SHA512 7487d3f06cf2f280e25422e8f22fa8738dca2d89d1c71210e55b4759e422645bfc8a63cac2de258626d7329e25ddd0b9dcb69896ea20b56832fb5530f2bba974

memory/1160-429-0x0000000000810000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll

MD5 dc411c4643dad59bfe5d3a19b775c9c9
SHA1 ed99b3357a71c05253f15778c3e37d5372055916
SHA256 f3d6d04613c604b04bac46abfa2aabb5f722daea66c29635bd4e0bf8cf839b5c
SHA512 5d808f968c3a6413884fd619023e61baa5c5294cf79376e8294f709265d726d828486ac2110df7be77f60f70074ce0ec4298f0c11ee067bce2b7920196f2b428

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml

MD5 3f517c15e8b924be1ab285723de6fbf9
SHA1 a89c94cddd6247805b62314bf5f93b0ef0e24b4d
SHA256 b53e6b3f1308152656ba75fa329264364d52f86dc0b21992f0441831231de1b5
SHA512 45156505decd0cd53dc9bf2575717e566fdc7ed239ec2d1233ac629f56b228795949bdae5533e3ec42b96fb1c5ae503133d6a32dba08a9e8744a0a3c59615af6

C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll

MD5 059880106001e05cbf02a9a305697db9
SHA1 ccf208bcb7605138d1bd5f8b0247183d6c649b88
SHA256 ad7dea1811b4f86fa88a697fa84688f9b3b7cf80ee521480fad560821031047d
SHA512 cb43b07790dff0e6de3956c66513ea793cfdf2f82db2b741e08cc9fb07fc35e5c0be4ae5e7795985fc8deb28f069a5f199c492fea87fdb4790b5eabd16709a5a

C:\Recovery\zzrd1r7t1-readme.txt

MD5 a768bf80055e28460b404a527e1191d0
SHA1 12327fdca3c69cf496e8f3b3d8116a0434a3bcbd
SHA256 1c150b9cb8463635e19852bdd0bbff2281c98642ead4aa95d364d246aa4049f0
SHA512 1c0edda16974a90e82abae1008d8551c7a027ed293c58c4333950f7a04250318687ba755329e51d7ea614814421cbbf463c2d39b36f4ea11d0581dc7f5e639d8