Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10bazaar.202...ge.exe
windows11-21h2-x64
1bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
6bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...RC.exe
windows11-21h2-x64
1bazaar.202...oad.js
windows11-21h2-x64
3bazaar.202...nt.exe
windows11-21h2-x64
7bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
1bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10Resubmissions
05/02/2025, 06:51
250205-hmnx7swpgk 1005/02/2025, 06:49
250205-hlsvrswpdj 1028/04/2024, 18:31
240428-w6cwyaec5v 1021/04/2024, 08:57
240421-kwwqhsfh8z 1021/04/2024, 05:45
240421-gfvazacf82 1018/04/2024, 19:05
240418-xry2ascb73 1018/04/2024, 16:34
240418-t3alashf75 1004/03/2024, 18:33
240304-w7b12ahg61 10Analysis
-
max time kernel
8s -
max time network
14s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 17:01
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral8
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral9
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral11
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral12
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral13
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral14
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.NetWiredRC.exe
Resource
win11-20240221-en
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Trojan-Downloader.Script.SLoad.js
Resource
win11-20240221-en
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Trojan-PSW.MSIL.Agent.exe
Resource
win11-20240221-en
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral32
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
General
-
Target
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
-
Size
164KB
-
MD5
722e15d85827d3ac13e56e8108688012
-
SHA1
cab935a24d7d0ea7e8d93851f7ea94ab9bccfc34
-
SHA256
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1
-
SHA512
59e24cf313db4413f44f16a8276d072f43402e718c25e1d00e81ddc69a1937473cfd1902c320bc9175d75a0d43a53ab3e971b8447ec1cf9cf9aa3aa536464273
-
SSDEEP
3072:BrX1t2U05pbJ5xhxY9doh7O79siUs/NaT8Sp:BrltH05f5v2i7O93No7
Malware Config
Extracted
C:\Recovery\m9a8e8p45z-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/117D63BDD8E9273A
http://decryptor.top/117D63BDD8E9273A
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\N: rundll32.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification \??\c:\program files\OutSearch.tif rundll32.exe File opened for modification \??\c:\program files\ResizeAssert.ogg rundll32.exe File opened for modification \??\c:\program files\SkipNew.tif rundll32.exe File opened for modification \??\c:\program files\SyncLimit.mp2v rundll32.exe File created \??\c:\program files\m9a8e8p45z-readme.txt rundll32.exe File opened for modification \??\c:\program files\ApproveReceive.search-ms rundll32.exe File opened for modification \??\c:\program files\EnableConnect.htm rundll32.exe File opened for modification \??\c:\program files\RevokePublish.dwg rundll32.exe File opened for modification \??\c:\program files\SkipSwitch.ps1xml rundll32.exe File opened for modification \??\c:\program files\BackupRename.wmf rundll32.exe File opened for modification \??\c:\program files\SubmitPublish.ADTS rundll32.exe File opened for modification \??\c:\program files\ReadSkip.mpg rundll32.exe File opened for modification \??\c:\program files\SetWait.xps rundll32.exe File opened for modification \??\c:\program files\StepImport.xls rundll32.exe File opened for modification \??\c:\program files\UnlockUse.jpeg rundll32.exe File opened for modification \??\c:\program files\UpdateSuspend.rar rundll32.exe File created \??\c:\program files (x86)\m9a8e8p45z-readme.txt rundll32.exe File opened for modification \??\c:\program files\DenyOptimize.gif rundll32.exe File opened for modification \??\c:\program files\NewOut.ttf rundll32.exe File opened for modification \??\c:\program files\UseDisable.M2V rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2652 rundll32.exe 2652 rundll32.exe 2932 powershell.exe 2932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2932 powershell.exe Token: SeBackupPrivilege 632 vssvc.exe Token: SeRestorePrivilege 632 vssvc.exe Token: SeAuditPrivilege 632 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5016 wrote to memory of 2652 5016 rundll32.exe 81 PID 5016 wrote to memory of 2652 5016 rundll32.exe 81 PID 5016 wrote to memory of 2652 5016 rundll32.exe 81 PID 2652 wrote to memory of 2932 2652 rundll32.exe 83 PID 2652 wrote to memory of 2932 2652 rundll32.exe 83 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2408
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82