Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/04/2024, 09:31
240410-lg5wbadg5y 1012/09/2023, 11:01
230912-m4spyabg7z 1017/08/2023, 01:52
230817-caqclseg52 10Analysis
-
max time kernel
114s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2023, 11:01
Behavioral task
behavioral1
Sample
15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe
Resource
win10v2004-20230831-en
General
-
Target
15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe
-
Size
160KB
-
MD5
b572a0486274ee9c0ba816c1b91b87c7
-
SHA1
43a904323a8583203b307c622c71c8ca706c2462
-
SHA256
15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b
-
SHA512
77d4ee400ded4b4be92da0170e7d2c197c312089429a1650e2843d0ceb15402d14f7e4fc3c2e84f20eeaa24995f0814c2106a37fc4cc32de7dbb4c15b6c5a171
-
SSDEEP
3072:tp5SexkWi1Lbi4eTMlwDCnu/qjUt7ptQJS+s:HvGWwbnWJ/3tTQg
Malware Config
Extracted
C:\ProgramData\9a5h4ix5z2-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EA15793751D49B6
http://decryptor.top/4EA15793751D49B6
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe -
Drops startup file 2 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\9a5h4ix5z2-readme.txt 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\5c4c3ad0.lock 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\N: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\P: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\Q: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\T: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\V: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\Z: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\D: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\E: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\G: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\K: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\S: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\U: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\Y: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\B: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\J: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\L: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\M: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\X: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\H: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\I: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\O: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\R: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\W: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened (read-only) \??\F: 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{BC9A174F-8BAC-46A8-B844-AF8D751BCC5D}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxc9xk897fe.bmp" 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File opened for modification \??\c:\program files\SkipApprove.tif 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\UndoApprove.3gp2 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File created \??\c:\program files\5c4c3ad0.lock 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File created \??\c:\program files (x86)\5c4c3ad0.lock 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\CompleteMeasure.DVR 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\GrantResume.wma 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File created \??\c:\program files\9a5h4ix5z2-readme.txt 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\ExitJoin.png 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\StartUnprotect.doc 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\ResumeUninstall.midi 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\SelectRequest.emf 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File created \??\c:\program files (x86)\9a5h4ix5z2-readme.txt 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\CopyUnpublish.mpeg3 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\ExportSelect.TS 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\RequestRead.contact 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\StepSave.vsdx 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe File opened for modification \??\c:\program files\WatchRename.xla 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2152 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe 2152 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 4240 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2152 wrote to memory of 3076 2152 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe 86 PID 2152 wrote to memory of 3076 2152 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe 86 PID 2152 wrote to memory of 3076 2152 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe"C:\Users\Admin\AppData\Local\Temp\15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:3076
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:1800
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5530b07f25ccf1fa28b2c8fe161746869
SHA1a4bc4056bb5912c69cd7428b0c7cf5da5a5afcc7
SHA2566c7bcfc7cf818de1d2c42bb20b2fffeb3b9e43c38e327fb1e449069ba600374b
SHA512c79adb12e8b1ef0e981fbe21a6a69df99c5b07c95f24dd954b9925bc40e99b300adf56f98b1eae727cc451440417620dc51dac9415c194da38d5ff7ccacd0919
-
Filesize
6KB
MD5530b07f25ccf1fa28b2c8fe161746869
SHA1a4bc4056bb5912c69cd7428b0c7cf5da5a5afcc7
SHA2566c7bcfc7cf818de1d2c42bb20b2fffeb3b9e43c38e327fb1e449069ba600374b
SHA512c79adb12e8b1ef0e981fbe21a6a69df99c5b07c95f24dd954b9925bc40e99b300adf56f98b1eae727cc451440417620dc51dac9415c194da38d5ff7ccacd0919
-
Filesize
14KB
MD5c01eaa0bdcd7c30a42bbb35a9acbf574
SHA10aee3e1b873e41d040f1991819d0027b6cc68f54
SHA25632297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5d28823ca7bc1e5d617a244882dd831fc
SHA1a8867cfb07e841ce6cf6daf8fd68bcbd5ba0142c
SHA2565122a098d5b9c7907c66e66ed9dbc354e83067b32fbc379296ee3dc304966ac8
SHA512f774a01ed7246b7e0895f145110db091ea61a0c9329b3bf4c17f290d0611890b6dea6c8fe4bfde9ebf2613f54961bace177a38b5e9b61e58e766dcbe55d6cb58
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5d28823ca7bc1e5d617a244882dd831fc
SHA1a8867cfb07e841ce6cf6daf8fd68bcbd5ba0142c
SHA2565122a098d5b9c7907c66e66ed9dbc354e83067b32fbc379296ee3dc304966ac8
SHA512f774a01ed7246b7e0895f145110db091ea61a0c9329b3bf4c17f290d0611890b6dea6c8fe4bfde9ebf2613f54961bace177a38b5e9b61e58e766dcbe55d6cb58
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5c6690648cc4e069b9405fd5cc3e11f84
SHA1ef97bd154c61007e48b7f4e835288355c0da922b
SHA256a95e5617f56319e0b3b43f7f87fcbab29068d34eeac4e9dad760b7c8a117adae
SHA512bef3580801c37f37e9dcb9640f83d1d7b27f30c822293781e1ad5cc8c53f582db54b32d144489081651381c7d562b629004ff30b47fe12178e8829e505b04478
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5ff8529ccef0cdf52404a67290cd8b058
SHA180118fb047623a123bdeacd4bfd27ec6cbf0b7b7
SHA25664eb92a81e9ec300e8e418115b739a76e135f1f5e6f85009b7ec2f2fb1ccf2ac
SHA512f3dd73db12e47ee1554e9e22185631ce8299eeba9e94a02fdde4a45d05bd975553f552a549fc627feea8e559eca087e7c2aa2fef00b1f0ca1682e8ca619266f4
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5957e61c0812f91da2f702b4aeaf1c614
SHA17be9231bf7c61e17869c7215c1b86f5152d46e73
SHA256be9d6bf17fd4b3fe238420b3c61ec20aa361ee4dbb2ec2f3aad2f36386535656
SHA512a17d224687be52fef0f813d9821f0f10e9c0818e8139f7d54dc65baf5847db0bb376128f6da4c2fef21eb6a176b18b703e2dc9cee9248ff4b04ba3a361d42759
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5d7339af1aa07a9f2202aa45ffc70d4b6
SHA1a5505c4795a3e58093b88a76868c97c463b69b98
SHA2561e6bde7618d466b28e0af12427885fdf166331c5f91506f3580e0c76f585ab51
SHA512a3957c2ec73756eb8d8394f50c9eb10d017fd635e30a984dccca869d13c0d0b6c5737d27795ff6dca03493988744b3fcef31c98a7fe856def0f11bf628f53d79
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5a60d9a579ab43c680be46792ec02505f
SHA17cab5fc8f361e08fad4b55e9ecf0336999cfbf3f
SHA2565c2d220e8280f66e23a9342bd92e50172055def4ca078bfaa22f576ba8aa2fe6
SHA5123a63613c73284bbadf386b8828c35a9bcee35b2a29a8203df68bd535452432826439fe9938868940dbeac986c585f3fe74001de9a34a11e82b1e56b52992126b
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD574e34acb8839a1bab9c36006728374b4
SHA16383c79ca371840a7066a0feb5d96a4d9b4f7377
SHA256b6afb2be1aa64026f4959857e04801927aff48ad83f055af9e672bcf837bf54e
SHA512067ed1f51df530a9a6b239017a1e4f3e4a1ad8f276645b9d4159d02a0a82f86c35ccfd5b3420fbb460eac1e869c17623ed5da9f2fe6ecc4250f1230e6564746c
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5cbcf91ab60fdc9d174b56718b9c95f24
SHA145395a3ddc5a428d9160c4db0fd0712577f9e98a
SHA25634d3d4d5cc1dc1dcd1ece46c2721fed61cfc8239b23ddb3ac38442e8164a7820
SHA512720f21fea29c0aea155aae63690ea6238597f86857f3099e45bad8095ee269f5a0bcdfba2f7c0514449aa2d81588a877c5781c386763412765e6a673c7ee2e7b
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5b6d636570ca142c8e064c1304e13b82f
SHA1bad4c5c0d1df0b01513a66ad73cc7d5c04326d91
SHA25674c258780327ad265c72c4ef6dd44d87c1386fe6176d641fda944c98ff573153
SHA512b086e42029a03660f3dad5f875166a422ee24d7a649856d7fe5307e5b500c1010a2e8789dca6a7b7206f04a0d8937920625eefaad2dd6543459bded593fe59c5
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD53bbe2341fd68bf3b517f8271e627e8c1
SHA123928e1b54cfba25f2441d33e8ac4f333d9e33c1
SHA25614482cc3531e368c83510f1b1be90bbc7c0c111c328f3417201ac2d43bdccd33
SHA512f383ed2802f97a71b2ac666dc2d79bf0b21c8ad3baeba0c9ad18dd6522d967d200e87587bb7f77912c658ecf4f78e507ef412a602ca06ea42cdd5d6594c81a1d
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD544aa8812392063fb4a1a9148921e2d40
SHA1afa96728875869e3e877d9ecf42e61056d681ec5
SHA2565dda2f1b9f59eb2f9f314a7018e560a516ec7bbf63fc11f0c28ea6f522e38e34
SHA512c0a7509f5fbcd304de4c592170fb5df640ed48c7cd98057a5166ebba48948117b95f0e8d10781bcc3df9c00792de35de277551e7e8def616e3f159b570d5b081