Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10bazaar.202...ge.exe
windows11-21h2-x64
1bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
6bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...RC.exe
windows11-21h2-x64
1bazaar.202...oad.js
windows11-21h2-x64
3bazaar.202...nt.exe
windows11-21h2-x64
7bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
1bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10Resubmissions
05/02/2025, 06:51
250205-hmnx7swpgk 1005/02/2025, 06:49
250205-hlsvrswpdj 1028/04/2024, 18:31
240428-w6cwyaec5v 1021/04/2024, 08:57
240421-kwwqhsfh8z 1021/04/2024, 05:45
240421-gfvazacf82 1018/04/2024, 19:05
240418-xry2ascb73 1018/04/2024, 16:34
240418-t3alashf75 1004/03/2024, 18:33
240304-w7b12ahg61 10Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 17:01
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral8
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral9
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral11
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral12
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral13
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral14
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.NetWiredRC.exe
Resource
win11-20240221-en
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Trojan-Downloader.Script.SLoad.js
Resource
win11-20240221-en
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Trojan-PSW.MSIL.Agent.exe
Resource
win11-20240221-en
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral32
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
General
-
Target
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
-
Size
164KB
-
MD5
b039e1d100166dc2e80ac9ff3f658481
-
SHA1
7ff4100e822925edf67ccf03ec7b39babacf70cd
-
SHA256
23096a2bc9feeabd37a9704d0653f4628ef740cdfe24af364ee09d379ec39d95
-
SHA512
a41fa1ba35ab11f8ee4a8c45286bd7ccf48a8ced9498c6abbfd43d42286bd88a346921e7ae1534510ff574b6e55b37c52ebf32ebd2c65d2095ed997e330fa24c
-
SSDEEP
3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfG4gdYR3NQT3U:veoUeZR2TRCWQFfG4gdYR3NQTE
Malware Config
Extracted
C:\Recovery\r1e7yw-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F0C166B0B5875C0F
http://decryptor.top/F0C166B0B5875C0F
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\B: rundll32.exe -
Drops file in Program Files directory 32 IoCs
description ioc Process File opened for modification \??\c:\program files\ReadPublish.pptx rundll32.exe File opened for modification \??\c:\program files\TestSearch.asf rundll32.exe File opened for modification \??\c:\program files\PingDismount.mpv2 rundll32.exe File opened for modification \??\c:\program files\AssertFind.jpg rundll32.exe File opened for modification \??\c:\program files\GrantApprove.dib rundll32.exe File opened for modification \??\c:\program files\PushDebug.ttc rundll32.exe File opened for modification \??\c:\program files\ReceiveImport.mp4v rundll32.exe File opened for modification \??\c:\program files\UnblockWatch.html rundll32.exe File created \??\c:\program files (x86)\r1e7yw-readme.txt rundll32.exe File opened for modification \??\c:\program files\SetRedo.3gp2 rundll32.exe File opened for modification \??\c:\program files\SplitSet.bmp rundll32.exe File opened for modification \??\c:\program files\StopProtect.rtf rundll32.exe File opened for modification \??\c:\program files\TestSync.js rundll32.exe File opened for modification \??\c:\program files\CopyReceive.docx rundll32.exe File opened for modification \??\c:\program files\RequestSend.i64 rundll32.exe File opened for modification \??\c:\program files\RestartHide.mpeg2 rundll32.exe File opened for modification \??\c:\program files\SwitchHide.m1v rundll32.exe File opened for modification \??\c:\program files\OptimizeReset.dotm rundll32.exe File opened for modification \??\c:\program files\CompareRestart.js rundll32.exe File opened for modification \??\c:\program files\FormatGroup.pcx rundll32.exe File opened for modification \??\c:\program files\MergeResume.search-ms rundll32.exe File opened for modification \??\c:\program files\UnprotectRestore.ini rundll32.exe File created \??\c:\program files\r1e7yw-readme.txt rundll32.exe File opened for modification \??\c:\program files\InstallCopy.dib rundll32.exe File opened for modification \??\c:\program files\LockEnable.vdw rundll32.exe File opened for modification \??\c:\program files\InitializeMove.html rundll32.exe File opened for modification \??\c:\program files\DenyResume.xlsx rundll32.exe File opened for modification \??\c:\program files\ClearTrace.html rundll32.exe File opened for modification \??\c:\program files\PushTest.jpeg rundll32.exe File opened for modification \??\c:\program files\ResumeUnlock.php rundll32.exe File opened for modification \??\c:\program files\UnlockUnregister.mp4v rundll32.exe File opened for modification \??\c:\program files\ApproveSend.m1v rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1516 rundll32.exe 1516 rundll32.exe 3996 powershell.exe 3996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1516 rundll32.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeBackupPrivilege 1264 vssvc.exe Token: SeRestorePrivilege 1264 vssvc.exe Token: SeAuditPrivilege 1264 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 816 wrote to memory of 1516 816 rundll32.exe 81 PID 816 wrote to memory of 1516 816 rundll32.exe 81 PID 816 wrote to memory of 1516 816 rundll32.exe 81 PID 1516 wrote to memory of 3996 1516 rundll32.exe 82 PID 1516 wrote to memory of 3996 1516 rundll32.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3496
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD54ad36db89603d04f3b9778e3573152ac
SHA172dc490d1a5d23e2117430684bcd450adbf84f98
SHA256688de10ad6c73a87a9f3416816dbed68ca515e3ee449ab196d91694f881a622f
SHA512e879914e1d831ac29367e03faeca33d7dece9ca6f3f15c6d0bca06ef7bc913dfc3f20a1209654b735c82e5b8c7cfe961955141c76fafb756d7d1dbedb955bb93
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82