Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10bazaar.202...ge.exe
windows11-21h2-x64
1bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
6bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...RC.exe
windows11-21h2-x64
1bazaar.202...oad.js
windows11-21h2-x64
3bazaar.202...nt.exe
windows11-21h2-x64
7bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
1bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10Resubmissions
05/02/2025, 06:51
250205-hmnx7swpgk 1005/02/2025, 06:49
250205-hlsvrswpdj 1028/04/2024, 18:31
240428-w6cwyaec5v 1021/04/2024, 08:57
240421-kwwqhsfh8z 1021/04/2024, 05:45
240421-gfvazacf82 1018/04/2024, 19:05
240418-xry2ascb73 1018/04/2024, 16:34
240418-t3alashf75 1004/03/2024, 18:33
240304-w7b12ahg61 10Analysis
-
max time kernel
99s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 17:01
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral8
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral9
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral11
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral12
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral13
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral14
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.NetWiredRC.exe
Resource
win11-20240221-en
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Trojan-Downloader.Script.SLoad.js
Resource
win11-20240221-en
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Trojan-PSW.MSIL.Agent.exe
Resource
win11-20240221-en
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral32
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
General
-
Target
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
-
Size
164KB
-
MD5
395015986431f15f5bfd25aa1966ccb0
-
SHA1
3f0f0d0658641085fcdb0d009774a85e33c37758
-
SHA256
0e468c960706b3f4181f54a35650b8edbd0960785dda89a72cdd1e5d600f188b
-
SHA512
b52420194038a7e248d50f936ed877b85cdcf4bc8b1bfa01c8b823b1a619630f85e886ae12c77d7c1b664f4d41a67ddbf00938e0dea262aba51229d134f027fe
-
SSDEEP
3072:BrX1t2U05pbJ5xhxY9doh7O79siUs/NaDiMQDmbU4E:BrltH05f5v2i7O93NjMIKT
Malware Config
Extracted
C:\Recovery\2e213q-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3B808E220C7EFC0F
http://decryptor.top/3B808E220C7EFC0F
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\H: rundll32.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\program files\UnregisterWatch.vst rundll32.exe File opened for modification \??\c:\program files\WatchSearch.temp rundll32.exe File opened for modification \??\c:\program files\AddOpen.vbe rundll32.exe File opened for modification \??\c:\program files\PopUnblock.mp2v rundll32.exe File opened for modification \??\c:\program files\ReadClear.wmf rundll32.exe File opened for modification \??\c:\program files\SelectRedo.xlsb rundll32.exe File opened for modification \??\c:\program files\GroupClose.mp3 rundll32.exe File opened for modification \??\c:\program files\OutUnlock.svgz rundll32.exe File created \??\c:\program files\2e213q-readme.txt rundll32.exe File opened for modification \??\c:\program files\ReadUnpublish.aiff rundll32.exe File opened for modification \??\c:\program files\RestoreEnable.docx rundll32.exe File opened for modification \??\c:\program files\UseOut.mpe rundll32.exe File created \??\c:\program files (x86)\2e213q-readme.txt rundll32.exe File opened for modification \??\c:\program files\MergeLimit.potx rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2828 rundll32.exe 2828 rundll32.exe 4804 powershell.exe 4804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4804 powershell.exe Token: SeBackupPrivilege 4840 vssvc.exe Token: SeRestorePrivilege 4840 vssvc.exe Token: SeAuditPrivilege 4840 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4068 wrote to memory of 2828 4068 rundll32.exe 81 PID 4068 wrote to memory of 2828 4068 rundll32.exe 81 PID 4068 wrote to memory of 2828 4068 rundll32.exe 81 PID 2828 wrote to memory of 4804 2828 rundll32.exe 82 PID 2828 wrote to memory of 4804 2828 rundll32.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD52454e049de8f3a649af2870fb8241c5f
SHA186032e77f189fe617782c371943819af0119861e
SHA2568cb8f37977b8584a194e1f669c29cc45655872ad4d0423b93252de39ec8579f6
SHA512c4916df125bdacd7a374e3217979d187a7d507995919267bcabfd9bb24f7da3474af92391ca8deba8e5df89ff7662e3e1feeeaad7be1997e8b3d81ceedaeb045
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82