Malware Analysis Report

2025-01-18 18:21

Sample ID 241209-cyqy2syjcx
Target v2.bin1.zip
SHA256 f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554
Tags
sodinokibi credential_access discovery ransomware spyware stealer $2a$12$ltqvwf.cqvh9w5jzkak9lo0hmlnifwtufobj86ge.hlzgvclg6xhw 7563
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554

Threat Level: Known bad

The file v2.bin1.zip was found to be: Known bad.

Malicious Activity Summary

sodinokibi credential_access discovery ransomware spyware stealer $2a$12$ltqvwf.cqvh9w5jzkak9lo0hmlnifwtufobj86ge.hlzgvclg6xhw 7563

Sodinokibi family

Sodin,Sodinokibi,REvil

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Uses Volume Shadow Copy service COM API

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-09 02:29

Signatures

Sodinokibi family

sodinokibi

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-09 02:29

Reported

2024-12-09 02:31

Platform

win7-20240708-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\1d281dn829-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\214osn.bmp" C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\1d281dn829-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CompareGroup.jpe C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\PushCopy.TTS C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ShowAdd.pub C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\1d281dn829-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\1d281dn829-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files\1d281dn829-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\EnterSync.dxf C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\StartFind.dot C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\InvokeGrant.odp C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ReadRevoke.midi C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RedoUnpublish.dotx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RequestClose.gif C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RevokeNew.xlsb C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\WriteInvoke.raw C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CloseUse.rle C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ExitAssert.MTS C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ConfirmWait.pptm C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\DisconnectRegister.rm C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ReceiveRemove.odp C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\StopOut.css C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\OutStep.crw C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RestoreUndo.doc C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\WaitInitialize.odp C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\AddPing.midi C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ConvertJoin.dib C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\EnterInstall.potx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\InstallSelect.eps C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\PingGet.M2V C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RepairCheckpoint.xps C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\1d281dn829-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ConvertFromRegister.png C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\DismountSearch.csv C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a919000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c02000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\v2.exe

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 commercialboatbuilding.com udp
US 8.8.8.8:53 parkstreetauto.net udp
US 50.28.1.103:443 parkstreetauto.net tcp
US 50.28.1.103:443 parkstreetauto.net tcp
US 8.8.8.8:53 longislandelderlaw.com udp
US 160.153.0.194:443 longislandelderlaw.com tcp
US 160.153.0.194:443 longislandelderlaw.com tcp
US 8.8.8.8:53 lbcframingelectrical.com udp
DE 3.124.100.143:443 lbcframingelectrical.com tcp
DE 3.124.100.143:443 lbcframingelectrical.com tcp
US 8.8.8.8:53 assurancesalextrespaille.fr udp
US 8.8.8.8:53 smale-opticiens.nl udp
NL 217.18.77.142:443 smale-opticiens.nl tcp
NL 217.18.77.142:443 smale-opticiens.nl tcp
US 8.8.8.8:53 naturavetal.hr udp
DE 168.119.205.241:443 naturavetal.hr tcp
DE 168.119.205.241:443 naturavetal.hr tcp
US 8.8.8.8:53 global-kids.info udp
US 8.8.8.8:53 kaotikkustomz.com udp
US 162.240.41.248:443 kaotikkustomz.com tcp
US 162.240.41.248:443 kaotikkustomz.com tcp
US 8.8.8.8:53 klusbeter.nl udp
IE 54.77.118.147:443 klusbeter.nl tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.klusbeter.nl udp
IE 54.77.118.147:443 www.klusbeter.nl tcp
US 8.8.8.8:53 socstrp.org udp
US 104.21.40.177:443 socstrp.org tcp
US 8.8.8.8:53 stefanpasch.me udp
US 151.101.128.119:443 stefanpasch.me tcp
US 151.101.128.119:443 stefanpasch.me tcp
US 8.8.8.8:53 jandaonline.com udp
DE 91.203.110.207:443 jandaonline.com tcp
DE 91.203.110.207:443 jandaonline.com tcp
US 8.8.8.8:53 beyondmarcomdotcom.wordpress.com udp
US 192.0.78.13:443 beyondmarcomdotcom.wordpress.com tcp
US 192.0.78.13:443 beyondmarcomdotcom.wordpress.com tcp
US 8.8.8.8:53 nmiec.com udp
US 8.8.8.8:53 sabel-bf.com udp
US 8.8.8.8:53 edv-live.de udp
DE 202.61.195.82:443 edv-live.de tcp
DE 202.61.195.82:443 edv-live.de tcp
US 8.8.8.8:53 zewatchers.com udp
FR 185.100.4.146:443 zewatchers.com tcp
FR 185.100.4.146:443 zewatchers.com tcp
US 8.8.8.8:53 controldekk.com udp
US 104.21.49.151:443 controldekk.com tcp
US 8.8.8.8:53 berlin-bamboo-bikes.org udp
US 70.32.1.32:443 berlin-bamboo-bikes.org tcp
US 70.32.1.32:443 berlin-bamboo-bikes.org tcp
US 8.8.8.8:53 sauschneider.info udp
JP 133.125.48.132:443 sauschneider.info tcp
US 8.8.8.8:53 norpol-yachting.com udp
PL 85.128.229.94:443 norpol-yachting.com tcp
PL 85.128.229.94:443 norpol-yachting.com tcp
US 8.8.8.8:53 nhadatcanho247.com udp
US 8.8.8.8:53 plantag.de udp
DE 217.160.0.197:443 plantag.de tcp
DE 217.160.0.197:443 plantag.de tcp
US 8.8.8.8:53 paradicepacks.com udp
US 8.8.8.8:53 odiclinic.org udp
US 170.249.205.18:443 odiclinic.org tcp
US 170.249.205.18:443 odiclinic.org tcp
US 8.8.8.8:53 grupocarvalhoerodrigues.com.br udp
US 8.8.8.8:53 ino-professional.ru udp
RU 77.74.185.33:443 ino-professional.ru tcp
RU 77.74.185.33:443 ino-professional.ru tcp
US 8.8.8.8:53 koken-voor-baby.nl udp
FR 152.228.189.75:443 koken-voor-baby.nl tcp
US 8.8.8.8:53 interactcenter.org udp
US 162.159.135.42:443 interactcenter.org tcp
US 162.159.135.42:443 interactcenter.org tcp
US 8.8.8.8:53 homng.net udp
US 8.8.8.8:53 vox-surveys.com udp
DE 5.189.182.42:443 vox-surveys.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 linnankellari.fi udp
FI 94.237.35.37:443 linnankellari.fi tcp
FI 94.237.35.37:443 linnankellari.fi tcp
US 8.8.8.8:53 lmtprovisions.com udp
US 35.215.98.25:443 lmtprovisions.com tcp
US 35.215.98.25:443 lmtprovisions.com tcp
US 8.8.8.8:53 igrealestate.com udp
US 157.230.196.39:443 igrealestate.com tcp
US 157.230.196.39:443 igrealestate.com tcp
US 8.8.8.8:53 bimnapratica.com udp
US 104.21.64.233:443 bimnapratica.com tcp
US 8.8.8.8:53 theadventureedge.com udp
US 143.198.70.160:443 theadventureedge.com tcp
US 143.198.70.160:443 theadventureedge.com tcp
US 8.8.8.8:53 hugoversichert.de udp
DE 62.141.48.71:443 hugoversichert.de tcp
DE 62.141.48.71:443 hugoversichert.de tcp
US 8.8.8.8:53 vorotauu.ru udp
RU 92.53.96.171:443 vorotauu.ru tcp
RU 92.53.96.171:443 vorotauu.ru tcp
US 8.8.8.8:53 deoudedorpskernnoordwijk.nl udp
NL 37.72.99.127:443 deoudedorpskernnoordwijk.nl tcp
NL 37.72.99.127:443 deoudedorpskernnoordwijk.nl tcp
US 8.8.8.8:53 aglend.com.au udp
US 104.21.89.246:443 aglend.com.au tcp
US 104.21.89.246:443 aglend.com.au tcp
US 8.8.8.8:53 jasonbaileystudio.com udp
US 104.21.16.1:443 jasonbaileystudio.com tcp
US 8.8.8.8:53 xn--fn-kka.no udp
NO 194.63.248.52:443 xn--fn-kka.no tcp
NO 194.63.248.52:443 xn--fn-kka.no tcp
US 8.8.8.8:53 finde-deine-marke.de udp
US 8.8.8.8:53 kikedeoliveira.com udp
US 8.8.8.8:53 first-2-aid-u.com udp
US 8.8.8.8:53 maureenbreezedancetheater.org udp
US 198.185.159.145:443 maureenbreezedancetheater.org tcp
US 198.185.159.145:443 maureenbreezedancetheater.org tcp
US 8.8.8.8:53 maxadams.london udp
GB 77.72.2.73:443 maxadams.london tcp
GB 77.72.2.73:443 maxadams.london tcp
US 8.8.8.8:53 smessier.com udp
US 8.8.8.8:53 pivoineetc.fr udp
US 172.67.159.161:443 pivoineetc.fr tcp
US 172.67.159.161:443 pivoineetc.fr tcp
US 8.8.8.8:53 edgewoodestates.org udp
US 5.161.100.232:443 edgewoodestates.org tcp
US 5.161.100.232:443 edgewoodestates.org tcp
US 8.8.8.8:53 delchacay.com.ar udp
US 52.71.4.6:443 delchacay.com.ar tcp
US 52.71.4.6:443 delchacay.com.ar tcp
US 8.8.8.8:53 no-plans.com udp
US 198.49.23.145:443 no-plans.com tcp
US 198.49.23.145:443 no-plans.com tcp
US 8.8.8.8:53 vihannesporssi.fi udp
FI 185.168.212.98:443 vihannesporssi.fi tcp
FI 185.168.212.98:443 vihannesporssi.fi tcp
US 8.8.8.8:53 gporf.fr udp
FR 85.31.222.20:443 gporf.fr tcp
FR 85.31.222.20:443 gporf.fr tcp
US 8.8.8.8:53 cite4me.org udp
US 172.67.217.104:443 cite4me.org tcp
US 8.8.8.8:53 studentshare.org udp
US 104.26.10.211:443 studentshare.org tcp
US 8.8.8.8:53 cursoporcelanatoliquido.online udp
US 8.8.8.8:53 kath-kirche-gera.de udp
DE 78.46.130.17:443 kath-kirche-gera.de tcp
DE 78.46.130.17:443 kath-kirche-gera.de tcp
US 8.8.8.8:53 olejack.ru udp
US 104.21.34.118:443 olejack.ru tcp
US 8.8.8.8:53 strategicstatements.com udp
US 15.197.225.128:443 strategicstatements.com tcp
US 15.197.225.128:443 strategicstatements.com tcp
US 8.8.8.8:53 remcakram.com udp
US 8.8.8.8:53 qlog.de udp
DE 212.53.214.163:443 qlog.de tcp
DE 212.53.214.163:443 qlog.de tcp
US 8.8.8.8:53 loprus.pl udp
PL 46.242.232.208:443 loprus.pl tcp
PL 46.242.232.208:443 loprus.pl tcp
US 8.8.8.8:53 ulyssemarketing.com udp
US 8.8.8.8:53 geoffreymeuli.com udp
BE 176.62.169.78:443 geoffreymeuli.com tcp
US 8.8.8.8:53 blossombeyond50.com udp
US 8.8.8.8:53 helenekowalsky.com udp
DE 178.16.62.149:443 helenekowalsky.com tcp
DE 178.16.62.149:443 helenekowalsky.com tcp
US 8.8.8.8:53 id-vet.com udp
FR 178.20.66.76:443 id-vet.com tcp
US 8.8.8.8:53 maasreusel.nl udp
NL 185.104.29.132:443 maasreusel.nl tcp
US 8.8.8.8:53 oemands.dk udp
DK 94.231.103.159:443 oemands.dk tcp
DK 94.231.103.159:443 oemands.dk tcp
US 8.8.8.8:53 penco.ie udp
US 104.21.112.1:443 penco.ie tcp
US 104.21.112.1:443 penco.ie tcp
US 8.8.8.8:53 koko-nora.dk udp
US 8.8.8.8:53 solhaug.tk udp
US 107.178.223.183:443 solhaug.tk tcp
US 8.8.8.8:53 thomasvicino.com udp
US 172.67.185.2:443 thomasvicino.com tcp
US 8.8.8.8:53 itelagen.com udp
US 157.230.80.33:443 itelagen.com tcp
US 157.230.80.33:443 itelagen.com tcp
US 8.8.8.8:53 supportsumba.nl udp
SE 5.198.250.123:443 supportsumba.nl tcp
SE 5.198.250.123:443 supportsumba.nl tcp
US 8.8.8.8:53 cuppacap.com udp
PL 51.68.138.187:443 cuppacap.com tcp
US 8.8.8.8:53 krlosdavid.com udp
US 45.33.241.252:443 krlosdavid.com tcp
US 8.8.8.8:53 pcp-nc.com udp
US 34.160.81.203:443 pcp-nc.com tcp
US 34.160.81.203:443 pcp-nc.com tcp
US 8.8.8.8:53 mapawood.com udp
US 74.220.199.6:443 mapawood.com tcp
US 8.8.8.8:53 importardechina.info udp
US 8.8.8.8:53 kenhnoithatgo.com udp
US 8.8.8.8:53 milltimber.aberdeen.sch.uk udp
GB 80.76.118.1:443 milltimber.aberdeen.sch.uk tcp
GB 80.76.118.1:443 milltimber.aberdeen.sch.uk tcp
US 8.8.8.8:53 hiddencitysecrets.com.au udp
AU 103.42.111.213:443 hiddencitysecrets.com.au tcp
AU 103.42.111.213:443 hiddencitysecrets.com.au tcp
US 8.8.8.8:53 mirjamholleman.nl udp
US 8.8.8.8:53 fizzl.ru udp
US 104.21.1.247:443 fizzl.ru tcp
US 8.8.8.8:53 blood-sports.net udp
US 172.67.166.213:443 blood-sports.net tcp
US 8.8.8.8:53 kisplanning.com.au udp
AU 103.242.49.203:443 kisplanning.com.au tcp
AU 103.242.49.203:443 kisplanning.com.au tcp
US 8.8.8.8:53 tandartspraktijkheesch.nl udp
NL 31.7.4.143:443 tandartspraktijkheesch.nl tcp
NL 31.7.4.143:443 tandartspraktijkheesch.nl tcp
US 8.8.8.8:53 deprobatehelp.com udp
US 208.118.247.88:443 deprobatehelp.com tcp
US 8.8.8.8:53 completeweddingkansas.com udp
US 13.248.169.48:443 completeweddingkansas.com tcp
US 13.248.169.48:443 completeweddingkansas.com tcp
US 8.8.8.8:53 tongdaifpthaiphong.net udp
US 172.67.170.234:443 tongdaifpthaiphong.net tcp
US 8.8.8.8:53 berliner-versicherungsvergleich.de udp
DE 94.130.244.208:443 berliner-versicherungsvergleich.de tcp
DE 94.130.244.208:443 berliner-versicherungsvergleich.de tcp
US 8.8.8.8:53 blog.solutionsarchitect.guru udp
US 8.8.8.8:53 sevenadvertising.com udp
US 8.8.8.8:53 buroludo.nl udp
NL 185.37.70.69:443 buroludo.nl tcp
NL 185.37.70.69:443 buroludo.nl tcp
US 8.8.8.8:53 stemplusacademy.com udp
US 172.67.199.110:443 stemplusacademy.com tcp
US 8.8.8.8:53 zieglerbrothers.de udp
DE 178.254.34.29:443 zieglerbrothers.de tcp
DE 178.254.34.29:443 zieglerbrothers.de tcp
US 8.8.8.8:53 offroadbeasts.com udp
US 8.8.8.8:53 nandistribution.nl udp
US 8.8.8.8:53 trystana.com udp
US 216.55.155.71:443 trystana.com tcp

Files

C:\Recovery\1d281dn829-readme.txt

MD5 c94f24d9b51422e79ab9d039cd115f6b
SHA1 352199b79319a740c68516caaf26d2fe8099f4da
SHA256 6dc35f9e1ac899fe46390e522413b6d5cc08b3458d6e27cc6b9ae9a068ddac54
SHA512 e28e061f03d0e351239fae4d60ee25a7f8b57f625372d669d6a3584d601b80eb31e6dcde89d29b79ae2f6e525ef053775ddeec80101ba37d41e5b172c8c5634e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1F77.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\System32\catroot2\dberr.txt

MD5 1b8825843707e56dddcea3a095a0d380
SHA1 f649e82dc9ba9024c1953d79fb9c2db660d5b2c7
SHA256 6d1566e86d1fc002ef8a5818e94f712e77ef4c005afddfa9012782c212297d54
SHA512 45bdcf0009c9e8c192cea205dd0f20d3cc41ab606d4462e331cf430a46db6087589e3742d762aac9965a4e70eb256794770b70b59ba85319b750a6e4f43dea9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f0d893ec37e1632dd5231e068ffd220d
SHA1 0ea0320d208dc4fd511adc066b9f1c8a07e6c812
SHA256 6765ef7b9b9071e9efa316a6d3e11b4fa146cfd486f468033dd276460d7a3312
SHA512 97faaf1a8b80c79a58c3598b484899a6a9f42afc2baee5c27098732d181174a3286d9c3290bc618c3f4f71cf962de45a482991993a38f4b4d4c071a3b0ad2eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d4147d157eaf79bc15e6058a0f0de4d
SHA1 156c93174943f1f65176fb6a0b843e674776e7df
SHA256 c6bc9acacbc40dd830d05e49a7eae3f0e91e8db6a6026b76af8678b221d8e2a8
SHA512 c05675d9c9d4b8747d3eb30e68003f4a86ec4c90a8a38c80afa3d5221ee1c8b92a21b75e8213e2c5d5303b056942f3544a4494b999bd518bd0791c6045b444f5

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-09 02:29

Reported

2024-12-09 02:31

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\33b8i3-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6tc8.bmp" C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\33b8i3-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RegisterUse.wdp C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RequestWatch.m4a C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\StepSkip.ttf C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\OutExit.midi C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ResetUninstall.WTV C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SelectEnable.ini C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\StopEnter.pptm C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UpdateClose.pcx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CopyReceive.pot C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ImportFormat.docx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RedoUnlock.svgz C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SplitDebug.xhtml C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\AssertDeny.easmx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CheckpointDismount.mp2 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UseStop.wmf C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\AddResume.3g2 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ExpandLimit.mp2 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RemoveJoin.xht C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UninstallConvertFrom.ppt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\33b8i3-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ConvertToInstall.asp C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\DisableHide.asp C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\OpenDisable.gif C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ReadGroup.pub C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RenameGrant.tiff C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\DenyCompare.vsx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\MountResize.search-ms C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\OutReset.wpl C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\v2.exe

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 commercialboatbuilding.com udp
US 8.8.8.8:53 parkstreetauto.net udp
US 50.28.1.103:443 parkstreetauto.net tcp
US 8.8.8.8:53 longislandelderlaw.com udp
US 160.153.0.194:443 longislandelderlaw.com tcp
US 8.8.8.8:53 103.1.28.50.in-addr.arpa udp
US 8.8.8.8:53 lbcframingelectrical.com udp
DE 3.124.100.143:443 lbcframingelectrical.com tcp
US 8.8.8.8:53 194.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 assurancesalextrespaille.fr udp
US 8.8.8.8:53 smale-opticiens.nl udp
NL 217.18.77.142:443 smale-opticiens.nl tcp
US 8.8.8.8:53 143.100.124.3.in-addr.arpa udp
US 8.8.8.8:53 naturavetal.hr udp
DE 168.119.205.241:443 naturavetal.hr tcp
US 8.8.8.8:53 www.naturavetal.hr udp
DE 168.119.205.241:443 www.naturavetal.hr tcp
US 8.8.8.8:53 142.77.18.217.in-addr.arpa udp
US 8.8.8.8:53 global-kids.info udp
US 8.8.8.8:53 kaotikkustomz.com udp
US 162.240.41.248:443 kaotikkustomz.com tcp
US 8.8.8.8:53 241.205.119.168.in-addr.arpa udp
US 8.8.8.8:53 klusbeter.nl udp
IE 34.250.140.231:443 klusbeter.nl tcp
US 8.8.8.8:53 www.klusbeter.nl udp
IE 54.77.118.147:443 www.klusbeter.nl tcp
US 8.8.8.8:53 231.140.250.34.in-addr.arpa udp
US 8.8.8.8:53 248.41.240.162.in-addr.arpa udp
US 8.8.8.8:53 147.118.77.54.in-addr.arpa udp
US 8.8.8.8:53 socstrp.org udp
US 172.67.155.193:443 socstrp.org tcp
US 8.8.8.8:53 stefanpasch.me udp
US 151.101.0.119:443 stefanpasch.me tcp
US 8.8.8.8:53 jandaonline.com udp
DE 91.203.110.207:443 jandaonline.com tcp
US 8.8.8.8:53 beyondmarcomdotcom.wordpress.com udp
US 192.0.78.13:443 beyondmarcomdotcom.wordpress.com tcp
US 8.8.8.8:53 193.155.67.172.in-addr.arpa udp
US 8.8.8.8:53 119.0.101.151.in-addr.arpa udp
US 8.8.8.8:53 207.110.203.91.in-addr.arpa udp
US 8.8.8.8:53 nmiec.com udp
US 8.8.8.8:53 13.78.0.192.in-addr.arpa udp
US 8.8.8.8:53 sabel-bf.com udp
US 8.8.8.8:53 edv-live.de udp
DE 202.61.195.82:443 edv-live.de tcp
US 8.8.8.8:53 zewatchers.com udp
FR 185.100.4.146:443 zewatchers.com tcp
US 8.8.8.8:53 controldekk.com udp
US 104.21.49.151:443 controldekk.com tcp
US 8.8.8.8:53 82.195.61.202.in-addr.arpa udp
US 8.8.8.8:53 146.4.100.185.in-addr.arpa udp
US 8.8.8.8:53 151.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 berlin-bamboo-bikes.org udp
US 170.178.183.18:443 berlin-bamboo-bikes.org tcp
US 8.8.8.8:53 sauschneider.info udp
JP 133.125.48.132:443 sauschneider.info tcp
US 8.8.8.8:53 18.183.178.170.in-addr.arpa udp
US 8.8.8.8:53 norpol-yachting.com udp
PL 85.128.229.94:443 norpol-yachting.com tcp
US 8.8.8.8:53 nhadatcanho247.com udp
US 8.8.8.8:53 plantag.de udp
DE 217.160.0.197:443 plantag.de tcp
US 8.8.8.8:53 94.229.128.85.in-addr.arpa udp
US 8.8.8.8:53 paradicepacks.com udp
US 8.8.8.8:53 odiclinic.org udp
US 170.249.205.18:443 odiclinic.org tcp
US 8.8.8.8:53 197.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 grupocarvalhoerodrigues.com.br udp
US 8.8.8.8:53 ino-professional.ru udp
US 8.8.8.8:53 18.205.249.170.in-addr.arpa udp
RU 77.74.185.33:443 ino-professional.ru tcp
US 8.8.8.8:53 koken-voor-baby.nl udp
FR 152.228.189.75:443 koken-voor-baby.nl tcp
US 8.8.8.8:53 interactcenter.org udp
US 162.159.135.42:443 interactcenter.org tcp
US 8.8.8.8:53 33.185.74.77.in-addr.arpa udp
US 8.8.8.8:53 interactcenterarts.org udp
US 162.159.134.42:443 interactcenterarts.org tcp
US 8.8.8.8:53 homng.net udp
US 8.8.8.8:53 75.189.228.152.in-addr.arpa udp
US 8.8.8.8:53 42.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 42.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 vox-surveys.com udp
DE 5.189.182.42:443 vox-surveys.com tcp

Files

C:\Recovery\33b8i3-readme.txt

MD5 307728d3fd124fd69230ae7c75a66497
SHA1 6de19edd50cf8360e0de96689ccd41f62abc6640
SHA256 c82450d5f5b658a4138d8acc84fd54cb544c7f035ad2ea6cc63d53cee5a79624
SHA512 be777dfc05636c4c668c7795e6d6e4918e7f6e9ea8581fb4b5c3deb0568440c3a7e2f0704ca07d366f93007f55f786eeb6685ec30fb8ea04f7fcd83a1343f787