Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10bazaar.202...ge.exe
windows11-21h2-x64
1bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
6bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...RC.exe
windows11-21h2-x64
1bazaar.202...oad.js
windows11-21h2-x64
3bazaar.202...nt.exe
windows11-21h2-x64
7bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
1bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10Resubmissions
05/02/2025, 06:51
250205-hmnx7swpgk 1005/02/2025, 06:49
250205-hlsvrswpdj 1028/04/2024, 18:31
240428-w6cwyaec5v 1021/04/2024, 08:57
240421-kwwqhsfh8z 1021/04/2024, 05:45
240421-gfvazacf82 1018/04/2024, 19:05
240418-xry2ascb73 1018/04/2024, 16:34
240418-t3alashf75 1004/03/2024, 18:33
240304-w7b12ahg61 10Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 17:01
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral8
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral9
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral11
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral12
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral13
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral14
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.NetWiredRC.exe
Resource
win11-20240221-en
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Trojan-Downloader.Script.SLoad.js
Resource
win11-20240221-en
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Trojan-PSW.MSIL.Agent.exe
Resource
win11-20240221-en
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral32
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
General
-
Target
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
-
Size
164KB
-
MD5
4903f3effb98da65c49bb9591c16615d
-
SHA1
d53e85991420c1475385babd72d31ee77faefc6d
-
SHA256
42996516b6604ba136ff909d9b59d2a676a72eaafa30c729cdfaddd96b20fc83
-
SHA512
454b8a5f3528ce77d993b84ccd0df7b8f0843a6a47516b1aa13fe6cbb79d1853646e03c7c9663266df154fd464f594d41be1e392d0c8c3dd676e4348e5149880
-
SSDEEP
3072:BrX1t2U05pbJ5xhxY9doh7O79siUs/NaDn3Ka9:BrltH05f5v2i7O93Nenaa9
Malware Config
Extracted
C:\Recovery\top3gk2-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/24664199F4D2B38D
http://decryptor.top/24664199F4D2B38D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe -
Drops file in Program Files directory 30 IoCs
description ioc Process File opened for modification \??\c:\program files\SelectConvertFrom.xlt rundll32.exe File opened for modification \??\c:\program files\SendOpen.pptx rundll32.exe File opened for modification \??\c:\program files\CompressUnblock.avi rundll32.exe File opened for modification \??\c:\program files\ExpandInstall.jpeg rundll32.exe File opened for modification \??\c:\program files\ProtectApprove.sql rundll32.exe File opened for modification \??\c:\program files\SearchRemove.midi rundll32.exe File opened for modification \??\c:\program files\RemoveShow.zip rundll32.exe File opened for modification \??\c:\program files\SkipAssert.wm rundll32.exe File opened for modification \??\c:\program files\UpdateEnter.dot rundll32.exe File opened for modification \??\c:\program files\AssertStep.midi rundll32.exe File opened for modification \??\c:\program files\ClosePing.contact rundll32.exe File opened for modification \??\c:\program files\GroupRename.M2V rundll32.exe File opened for modification \??\c:\program files\MoveLimit.aiff rundll32.exe File opened for modification \??\c:\program files\ImportRemove.gif rundll32.exe File opened for modification \??\c:\program files\LimitDeny.ttc rundll32.exe File opened for modification \??\c:\program files\GrantShow.clr rundll32.exe File opened for modification \??\c:\program files\JoinClear.xltx rundll32.exe File opened for modification \??\c:\program files\ResumeApprove.wma rundll32.exe File opened for modification \??\c:\program files\UnlockUse.vstm rundll32.exe File created \??\c:\program files (x86)\top3gk2-readme.txt rundll32.exe File opened for modification \??\c:\program files\UnprotectDisable.ppsm rundll32.exe File opened for modification \??\c:\program files\SaveDisable.mp4v rundll32.exe File created \??\c:\program files\top3gk2-readme.txt rundll32.exe File opened for modification \??\c:\program files\CheckpointApprove.html rundll32.exe File opened for modification \??\c:\program files\MergeClose.jpeg rundll32.exe File opened for modification \??\c:\program files\RemoveResolve.vdx rundll32.exe File opened for modification \??\c:\program files\MergeWatch.reg rundll32.exe File opened for modification \??\c:\program files\RestoreRevoke.jfif rundll32.exe File opened for modification \??\c:\program files\SkipRemove.wmv rundll32.exe File opened for modification \??\c:\program files\UnpublishTrace.eprtx rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4044 rundll32.exe 4044 rundll32.exe 4292 powershell.exe 4292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4292 powershell.exe Token: SeBackupPrivilege 3252 vssvc.exe Token: SeRestorePrivilege 3252 vssvc.exe Token: SeAuditPrivilege 3252 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3884 wrote to memory of 4044 3884 rundll32.exe 77 PID 3884 wrote to memory of 4044 3884 rundll32.exe 77 PID 3884 wrote to memory of 4044 3884 rundll32.exe 77 PID 4044 wrote to memory of 4292 4044 rundll32.exe 78 PID 4044 wrote to memory of 4292 4044 rundll32.exe 78 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4808
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD557ec961c539166cc511872ceb683dd82
SHA108597aa05e999431e97870b4be29648f6d7ec839
SHA256bb4c03b70df89457e5cef7c5207586e30e1b17b06d7d699889685166ace88dfc
SHA512445a35678b69d2d1b8d934a000cf46e47c2d2abaeef03522b1bc53990c78e3239d8f31c6a864408efea72bc2928c21f0c133e6dff4b0d33a30f8e5b5c96312cb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82