ransomexx_win | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

defense_evasion ransomware

Data Destruction

T1485

pid	Process
4496	fsutil.exe

RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
ransomware ransomexx_win
Ransomexx_win family
ransomexx_win

Clears Windows event logs 1 TTPs 4 IoCs

Clear Windows Event Logs

T1070.001

pid	Process
348	wevtutil.exe
620	wevtutil.exe
3024	wevtutil.exe
1752	wevtutil.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
384	bcdedit.exe
3160	bcdedit.exe

Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
1920	wbadmin.exe

Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490
Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
ransomware

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	RansomEXX_14_12_2020_156KB.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\E:	cipher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RansomEXX_14_12_2020_156KB.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe
5712	RansomEXX_14_12_2020_156KB.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3024	wevtutil.exe
Token: SeBackupPrivilege	3024	wevtutil.exe
Token: SeSecurityPrivilege	2340	wevtutil.exe
Token: SeBackupPrivilege	2340	wevtutil.exe
Token: SeSecurityPrivilege	1752	wevtutil.exe
Token: SeBackupPrivilege	1752	wevtutil.exe
Token: SeSecurityPrivilege	348	wevtutil.exe
Token: SeBackupPrivilege	348	wevtutil.exe
Token: SeSecurityPrivilege	620	wevtutil.exe
Token: SeBackupPrivilege	620	wevtutil.exe
Token: SeBackupPrivilege	4924	wbengine.exe
Token: SeRestorePrivilege	4924	wbengine.exe
Token: SeSecurityPrivilege	4924	wbengine.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5712 wrote to memory of 2340	5712	RansomEXX_14_12_2020_156KB.exe	93
PID 5712 wrote to memory of 2340	5712	RansomEXX_14_12_2020_156KB.exe	93
PID 5712 wrote to memory of 4496	5712	RansomEXX_14_12_2020_156KB.exe	94
PID 5712 wrote to memory of 4496	5712	RansomEXX_14_12_2020_156KB.exe	94
PID 5712 wrote to memory of 1920	5712	RansomEXX_14_12_2020_156KB.exe	95
PID 5712 wrote to memory of 1920	5712	RansomEXX_14_12_2020_156KB.exe	95
PID 5712 wrote to memory of 3160	5712	RansomEXX_14_12_2020_156KB.exe	96
PID 5712 wrote to memory of 3160	5712	RansomEXX_14_12_2020_156KB.exe	96
PID 5712 wrote to memory of 3024	5712	RansomEXX_14_12_2020_156KB.exe	98
PID 5712 wrote to memory of 3024	5712	RansomEXX_14_12_2020_156KB.exe	98
PID 5712 wrote to memory of 5728	5712	RansomEXX_14_12_2020_156KB.exe	97
PID 5712 wrote to memory of 5728	5712	RansomEXX_14_12_2020_156KB.exe	97
PID 5712 wrote to memory of 5728	5712	RansomEXX_14_12_2020_156KB.exe	97
PID 5712 wrote to memory of 620	5712	RansomEXX_14_12_2020_156KB.exe	99
PID 5712 wrote to memory of 620	5712	RansomEXX_14_12_2020_156KB.exe	99
PID 5712 wrote to memory of 384	5712	RansomEXX_14_12_2020_156KB.exe	100
PID 5712 wrote to memory of 384	5712	RansomEXX_14_12_2020_156KB.exe	100
PID 5712 wrote to memory of 1880	5712	RansomEXX_14_12_2020_156KB.exe	101
PID 5712 wrote to memory of 1880	5712	RansomEXX_14_12_2020_156KB.exe	101
PID 5712 wrote to memory of 1880	5712	RansomEXX_14_12_2020_156KB.exe	101
PID 5712 wrote to memory of 348	5712	RansomEXX_14_12_2020_156KB.exe	102
PID 5712 wrote to memory of 348	5712	RansomEXX_14_12_2020_156KB.exe	102
PID 5712 wrote to memory of 1752	5712	RansomEXX_14_12_2020_156KB.exe	92
PID 5712 wrote to memory of 1752	5712	RansomEXX_14_12_2020_156KB.exe	92
PID 5712 wrote to memory of 1012	5712	RansomEXX_14_12_2020_156KB.exe	103
PID 5712 wrote to memory of 1012	5712	RansomEXX_14_12_2020_156KB.exe	103
PID 5712 wrote to memory of 2956	5712	RansomEXX_14_12_2020_156KB.exe	113
PID 5712 wrote to memory of 2956	5712	RansomEXX_14_12_2020_156KB.exe	113
PID 5712 wrote to memory of 2956	5712	RansomEXX_14_12_2020_156KB.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5712
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" sl Security /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\fsutil.exe
  "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
  2⤵
  - Deletes NTFS Change Journal
  PID:4496
- C:\Windows\System32\wbadmin.exe
  "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
  2⤵
  - Deletes backup catalog
  PID:1920
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3160
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:C:
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5728
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl System
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:384
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:F:
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1880
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Setup
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:1012
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:E:
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2956

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:448

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery