Overview

overview

10

Static

static

10

bazaar.202...ge.exe

windows7-x64

1

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

6

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...32.exe

windows7-x64

7

bazaar.202...32.exe

windows7-x64

7

bazaar.202...RC.exe

windows7-x64

1

bazaar.202...oad.js

windows7-x64

3

bazaar.202...nt.exe

windows7-x64

7

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

10

Resubmissions

28-04-2024 18:31

240428-w6cwyaec5v 10

21-04-2024 08:57

240421-kwwqhsfh8z 10

21-04-2024 05:45

240421-gfvazacf82 10

18-04-2024 19:05

240418-xry2ascb73 10

18-04-2024 16:34

240418-t3alashf75 10

04-03-2024 18:33

240304-w7b12ahg61 10

02-03-2024 17:01

240302-vjn51sff57 10

02-03-2024 10:05

240302-l4xhfscc7v 10

Analysis

  • max time kernel
    1559s
  • max time network
    1566s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll

  • Size

    164KB

  • MD5

    708ef2feaf6fc35f33486111d9c0f97b

  • SHA1

    9d91bfe8fd44ff1d75551807017e634c2b7580d1

  • SHA256

    23d7cd4b0535b40662dc211b4ae28c4b5383c66b4b686064bd391a259da80d48

  • SHA512

    35db49ab278f1c78d7193e8c75d07fd9d66bab62a7f140b451f03b9fe49138525d92ffe08cd155ae4b6ceec4eca91f2253fba71ddf1af5cb6f701d9b3899d04f

  • SSDEEP

    3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfsJmjUm:veoUeZR2TRCWQFfsJmj

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
      2⤵
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1608
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2748
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1608-4-0x000000001B370000-0x000000001B652000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1608-5-0x0000000002220000-0x0000000002228000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1608-6-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1608-7-0x0000000002620000-0x00000000026A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1608-8-0x0000000002620000-0x00000000026A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1608-9-0x0000000002620000-0x00000000026A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1608-10-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1608-11-0x0000000002620000-0x00000000026A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1608-12-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

      Filesize

      9.6MB

      Download