Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

5d9b75e2cb...7c.exe

windows7-x64

10

5d9b75e2cb...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    16/11/2023, 23:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe

  • Size

    164KB

  • MD5

    17d54fde8f0dca439f4c32a02598e382

  • SHA1

    5eb54861db41b62e9fa296f703f06b8e52d1941d

  • SHA256

    5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c

  • SHA512

    09473f8ad9cd0d614d4a6fed4f7c34bba89f4a3e8cd0a350870e716b1f499d0d99f25ea436b13512094bf2f56178d5f9ffa8c74ad125c4c61e6aaba7b2a814b5

  • SSDEEP

    3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOVFI0kmit3:ffYWAw9fcUdmwIXo+M9VQHDlZmit

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\491t4m39-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 491t4m39. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/325EDC4FB02950E1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/325EDC4FB02950E1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Ffolu1/q89t99PEqIu7YMG9JmvPDuYzuGjKDuIYxV0i89YBD5mMymZFxUjGCABYs WfLEpPUUyaX2oEstkxTG1e+Y+6poYNhAMey1s4kgdRojwk7vQy0kLcLKUlo47C0F 0b2wT7kLAb6XRBVrpt+OLOipW3Vf78r6zeM0jpGROHHBSFGO1rm0lnkpKl3q6KsM N90JTOruT1ieBF+T2fTOfJPKgRowqk67ZHu0buOWIoJj0AyzdJjxYQ/ynIij8zhQ gDsuZB7JvNI+dhaDmyNom49pA5fr5FtxuAo836glee+c+ct28RCvl8b320tPdmCD 6d9H0Z0ADig2gJexY1AbDldxZ//zH2T26OW4/STWCSw3oiAwW6QR5FflYQFSne6K 9aJYcBDIwRg84iRMolNRdaDaAJTC/CEMEKDuUeIhEmWhQ2/JOC+uRvLwQZJ8+PIE 6PL/59QkbBOh/0MBISX2WV++DyTmBcdw80p4vTRu+DskHWtrGMk7mvWDGFq0kmT5 v93v7ZlwNLXh3gTwGjdrqQWp5apaIhHYsJlAKjU0Izcv1SeHXnI5nV8bpZD7+ETf KAWqlJKAVWxW0OPhq2muNzYK4ojNu0WRrlrBxjMaUxsNGOWxbg0KIAyGyFyvnZWq gggwIjSNmpqJOMgUuY1VUqTBjNrnv78U5JuPHsB3O3H41yMls+JW3EWTRaNZyg4F MWxXasDAL96kgMOdupbN+bhYgX7ojO34iYuSFxZmZzKI0G/QI/trXnUpp6Tomvu+ Q7eKKpewaaDO4pbliOlm4KTeb1gpEuybx//tFF88YXE4M6xYbGRXTmFgtBmEqYgL ZFz5wWmBaS+a4qXKP265ODY8fPScmMT02zLsfpj809Zq2H/F1gAU8jM2J+acnEfO 27rQhCZRAbnf7JC21fOXxn5cOMoFdoUNcrVzrkYpazwpxrChrsLctxKKm7JtzNwE E6IXpMODFV56Ql5GurBN0bapkJFrMCFQQRWn16eIMCZje2vbEljt/Xrh3VLOvcOs 8StHRAPhwJw7YmBgWhaS54hQVWakRiyeWDIsB/5VsZaiJzhyhpPIkSxoqhC2ALiw ZpnnLaM2bqVGmvTeEUOGVV9de3dftq305VvIrwEJkrgPS8WHYV6oR+YFs1n3hliq CAWW9vePEgG9LZHNIQbATZ7Dhoq2TNyyQ/DoKYeF1AjHAxl7Ei1bqZo+s8veNQoz ZKNHoNcSk+5gbDbwB9A= Extension name: 491t4m39 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/325EDC4FB02950E1

http://decryptor.top/325EDC4FB02950E1

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe
    "C:\Users\Admin\AppData\Local\Temp\5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:588
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\491t4m39-readme.txt
      Filesize

      6KB

      MD5

      21f32f7be42b9a1c206ceadf5f6aae5b

      SHA1

      c93f84729d0c6c9ca017f2e57d7b72b27028ff7e

      SHA256

      a0c63f190869ba1de562d2f63e1e04d299b2ca502917a568e733374a4d8303a0

      SHA512

      3f0339a4f5f14709e8cdfbd40783331ef44a9b14a3da59426a88a8f0c69603fd86da98d11026773c0e880bb436820be06f87c0323ab42d47090a18ddeb43bc61

      Download Submit

    • memory/2120-4-0x000000001B2B0000-0x000000001B592000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2120-5-0x00000000022A0000-0x00000000022A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2120-6-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2120-7-0x00000000028A0000-0x0000000002920000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2120-9-0x00000000028A0000-0x0000000002920000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2120-8-0x00000000028A0000-0x0000000002920000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2120-10-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2120-11-0x00000000028A0000-0x0000000002920000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2120-12-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

      Filesize

      9.6MB

      Download