Malware Analysis Report

2025-01-18 18:19

Sample ID 241211-sqgcmssnbr
Target v2.bin(1).zip
SHA256 f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554
Tags
$2a$12$ltqvwf.cqvh9w5jzkak9lo0hmlnifwtufobj86ge.hlzgvclg6xhw 7563 sodinokibi credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554

Threat Level: Known bad

The file v2.bin(1).zip was found to be: Known bad.

Malicious Activity Summary

$2a$12$ltqvwf.cqvh9w5jzkak9lo0hmlnifwtufobj86ge.hlzgvclg6xhw 7563 sodinokibi credential_access discovery ransomware spyware stealer

Sodin,Sodinokibi,REvil

Sodinokibi family

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-11 15:19

Signatures

Sodinokibi family

sodinokibi

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-11 15:19

Reported

2024-12-11 15:22

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

147s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\v2.bin(1).zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\v2.bin(1).zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-11 15:19

Reported

2024-12-11 15:22

Platform

win11-20241007-en

Max time kernel

91s

Max time network

96s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\v2.bin(1).zip"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\v2.bin(1).zip"

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-11 15:19

Reported

2024-12-11 15:22

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\4q0lh535n-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t37pwx2.bmp" C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\RemoveExpand.m1v C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RemoveRegister.ogg C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\TestDisconnect.wps C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UnregisterJoin.edrwx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RegisterExit.3gp2 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\MountAdd.tif C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\PopConvertTo.TS C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SwitchConvertTo.3g2 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\DisconnectStop.css C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ImportEdit.sql C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RemoveFormat.jpg C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\StopConvertTo.docx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ExpandRead.mov C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SubmitOpen.ram C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ExpandRevoke.docx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\NewConvertTo.xsl C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UnprotectBlock.au C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\4q0lh535n-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\GroupSearch.M2TS C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\JoinInitialize.mhtml C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RedoUnblock.dwg C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ConvertInitialize.vbs C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\GrantMount.jfif C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\StepConfirm.mhtml C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SyncRemove.cfg C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\DismountFormat.xltx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ConvertToResume.avi C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\DenyHide.inf C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\LockStart.ods C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\OutApprove.html C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RequestMount.M2T C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UpdateUse.M2TS C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files\4q0lh535n-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 5200 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 2760 wrote to memory of 5200 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\v2.exe

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MergeExit.M2V.4q0lh535n

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\4q0lh535n-readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 commercialboatbuilding.com udp
US 8.8.8.8:53 parkstreetauto.net udp
US 50.28.1.103:443 parkstreetauto.net tcp
US 8.8.8.8:53 longislandelderlaw.com udp
US 160.153.0.194:443 longislandelderlaw.com tcp
US 8.8.8.8:53 103.1.28.50.in-addr.arpa udp
US 8.8.8.8:53 lbcframingelectrical.com udp
DE 3.124.100.143:443 lbcframingelectrical.com tcp
US 8.8.8.8:53 assurancesalextrespaille.fr udp
US 8.8.8.8:53 smale-opticiens.nl udp
NL 217.18.77.142:443 smale-opticiens.nl tcp
US 8.8.8.8:53 194.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 143.100.124.3.in-addr.arpa udp
US 8.8.8.8:53 142.77.18.217.in-addr.arpa udp
US 8.8.8.8:53 naturavetal.hr udp
DE 168.119.205.241:443 naturavetal.hr tcp
US 8.8.8.8:53 www.naturavetal.hr udp
DE 168.119.205.241:443 www.naturavetal.hr tcp
US 8.8.8.8:53 241.205.119.168.in-addr.arpa udp
US 8.8.8.8:53 global-kids.info udp
US 8.8.8.8:53 kaotikkustomz.com udp
US 162.240.41.248:443 kaotikkustomz.com tcp
US 8.8.8.8:53 klusbeter.nl udp
IE 54.154.183.243:443 klusbeter.nl tcp
US 8.8.8.8:53 www.klusbeter.nl udp
IE 34.250.140.231:443 www.klusbeter.nl tcp
US 8.8.8.8:53 248.41.240.162.in-addr.arpa udp
US 8.8.8.8:53 231.140.250.34.in-addr.arpa udp
US 8.8.8.8:53 243.183.154.54.in-addr.arpa udp
US 8.8.8.8:53 socstrp.org udp
US 172.67.155.193:443 socstrp.org tcp
US 8.8.8.8:53 stefanpasch.me udp
US 151.101.0.119:443 stefanpasch.me tcp
US 8.8.8.8:53 jandaonline.com udp
DE 91.203.110.207:443 jandaonline.com tcp
US 8.8.8.8:53 193.155.67.172.in-addr.arpa udp
US 8.8.8.8:53 119.0.101.151.in-addr.arpa udp
US 8.8.8.8:53 207.110.203.91.in-addr.arpa udp
US 8.8.8.8:53 beyondmarcomdotcom.wordpress.com udp
US 192.0.78.12:443 beyondmarcomdotcom.wordpress.com tcp
US 8.8.8.8:53 nmiec.com udp
US 8.8.8.8:53 12.78.0.192.in-addr.arpa udp
US 8.8.8.8:53 sabel-bf.com udp
US 8.8.8.8:53 edv-live.de udp
DE 202.61.195.82:443 edv-live.de tcp
US 8.8.8.8:53 zewatchers.com udp
FR 185.100.4.146:443 zewatchers.com tcp
US 8.8.8.8:53 controldekk.com udp
US 172.67.191.43:443 controldekk.com tcp
US 8.8.8.8:53 146.4.100.185.in-addr.arpa udp
US 8.8.8.8:53 82.195.61.202.in-addr.arpa udp
US 8.8.8.8:53 43.191.67.172.in-addr.arpa udp
US 8.8.8.8:53 berlin-bamboo-bikes.org udp
US 103.224.182.253:443 berlin-bamboo-bikes.org tcp
US 8.8.8.8:53 sauschneider.info udp
US 8.8.8.8:53 253.182.224.103.in-addr.arpa udp
JP 133.125.48.132:443 sauschneider.info tcp

Files

C:\Recovery\4q0lh535n-readme.txt

MD5 a3a93b226a531ebef002ccc22096b84d
SHA1 4946bb2ff453a66fba26409a0ef93671735e1760
SHA256 ad48b78d56e0de00347c0977da8f51429d427ef5460dc1755fb7051a2b2d4fb8
SHA512 8c2b4acb8da6ae456f7f27d1f60e558f6f3c2358d73835d6d3c4b567e9d9efb82e1fcab0ea93dd288f1d149d9f5613eb4b0e436c8dba9b18834bd057e75fbf9d

C:\Users\Admin\Desktop\MergeExit.M2V.4q0lh535n

MD5 ecb9918dc82a16cc96003818914b91dc
SHA1 83a522e80a11f90060c3008f7fa9ce615d116b98
SHA256 bc573d7403377a6d6a9f6538b604bca8a0f6c5046ec1287c4117bb959241e96a
SHA512 c254def55a733cc5681fe16fe5118ba60dd963d0d9998f14586bb4f388094333cc1883d5d59f6b7cc9b83ebb09cdba2bb626a90a5bd1d5840c75729900ae4fcf

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-11 15:19

Reported

2024-12-11 15:22

Platform

win11-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\1w0le84-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p98sc44.bmp" C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\UnprotectEnable.ogg C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\1w0le84-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CheckpointUnprotect.htm C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CompareUnpublish.css C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\MoveEnable.asx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\OpenHide.odt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RepairUndo.midi C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SaveGrant.xlt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SplitApprove.3gp2 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\AddUnblock.csv C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ClosePublish.vb C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\TraceSkip.mp3 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\GrantUnblock.M2TS C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SkipClear.vstm C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UpdateRename.js C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files\1w0le84-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ClearUse.otf C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\v2.exe

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 commercialboatbuilding.com udp
US 50.28.1.103:443 parkstreetauto.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 103.1.28.50.in-addr.arpa udp
US 160.153.0.194:443 longislandelderlaw.com tcp
DE 3.125.36.175:443 lbcframingelectrical.com tcp
NL 217.18.77.142:443 smale-opticiens.nl tcp
DE 168.119.205.241:443 www.naturavetal.hr tcp
DE 168.119.205.241:443 www.naturavetal.hr tcp
US 162.240.41.248:443 kaotikkustomz.com tcp
IE 34.250.140.231:443 klusbeter.nl tcp
IE 54.154.183.243:443 klusbeter.nl tcp
US 104.21.40.177:443 socstrp.org tcp

Files

C:\Recovery\1w0le84-readme.txt

MD5 c833742e2a9fde83d8d1e0eb26c85106
SHA1 e20d88f7e14e8b543e025f1c3d402b3f3986952b
SHA256 b20b75f9c330f297616b8be5298257ba569a2e06dd3c8845b00460cd836f8dee
SHA512 c6edfce8b42294869d2b969fabc9511c03a7472c073513c6bd96cb81ebcd1aad1421a6f6d1070b974fc42c78274841fc83ad6b0c2d44b8fcd6a905aebaf93b3d