Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

bazaar.202...ge.exe

windows11-21h2-x64

1

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

6

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...32.exe

windows11-21h2-x64

7

bazaar.202...32.exe

windows11-21h2-x64

7

bazaar.202...RC.exe

windows11-21h2-x64

1

bazaar.202...oad.js

windows11-21h2-x64

3

bazaar.202...nt.exe

windows11-21h2-x64

7

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

6

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

6

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

Resubmissions

05/02/2025, 06:51

250205-hmnx7swpgk 10

05/02/2025, 06:49

250205-hlsvrswpdj 10

28/04/2024, 18:31

240428-w6cwyaec5v 10

21/04/2024, 08:57

240421-kwwqhsfh8z 10

21/04/2024, 05:45

240421-gfvazacf82 10

18/04/2024, 19:05

240418-xry2ascb73 10

18/04/2024, 16:34

240418-t3alashf75 10

04/03/2024, 18:33

240304-w7b12ahg61 10

Analysis

  • max time kernel
    1774s
  • max time network
    1494s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/03/2024, 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll

  • Size

    166KB

  • MD5

    c8db3c1a7b0dc871335676730312a915

  • SHA1

    7b43678293329461b9e659f390606940deb8565c

  • SHA256

    0eb2873b91bedb21963ce3150732914fefcbdec884cd7b3d0e63b5f5424d3b37

  • SHA512

    4c0b5064a46dcaa1449c9eb650f40aeca82e65dd6109ff81b0713ce61e4e320c430467595bceb4faf72a0d673e078f1ee8c63679aee524cd2f30119524ac957b

  • SSDEEP

    3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3Q8Z/ucc6CSf:NJ0BXScFyfC3Hd4ygK/yx

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Recovery\28366-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 28366. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/67AE595FF4B950C0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/67AE595FF4B950C0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 4Y7dF7mU//BWvyVvHyOVSai6qoC4Uf+fYd/JZ64gzGYA2R/1y4YQ+icwUJhQONgr R8RMrbpPTNxlzff3hWbnhEoJNtlU8cTLyS9SoTUVDfYAtSl//Dcb3I5WJBxKdeRU EbDAk5EArPAmuxIHxyXvO6LxL3JNqHbRiZGnfwN6fdZhQaYWVbNcCyIb73tvQEJx 4YyIrZ1n0I8x0cIp+gh+AK8RQzXEJk0ZJBeoG7sPcw5zzfa6nGtwX9JN4uHiwoeh RdiiexD61HqS0LhVFAJPG79If341p8NqdgRDClkKsbIkcdV7voD4zjw2Nl+/EtWN ff6RTyaeqlwP7C2ZoU/YlgQZSfqrqTujQWgfmL4reOWJmJwHnCQ/mzUFfraw27lo fHMbjN8GUR1vYJ2bQTg7ZoCt3UnruIPioIiRrQWZhVRO5kEJeQegx+oZsil8/7N9 zAhMgIc7Ih4m+ZDUiMYOGJ9Sv9JAgEfdhTUySqob2tz3p4o7QF3Ao8AdgX5ajPLP iDgBMD4nCJ/9H3zKv4pz0/yOQnET10EB7Ve2UBOGRxtMA3QE2c6nKzHtPqB1tJTK me6rDGJ+pgUhVoBDHy3ZKaOKwsvFUEmhlD/NaLHm/ScppGcO+qQWdYPF1kzyZ6/j a1jE6yBdWxlCzQTql+iVwhGjw/2DQT8gg26jDpVeCuhQVz/a34viku75XnJhr0Yp 4KxJrMSMAu5h1Ftl8F/HqUIM3arN60rVdwEwy53MS9DIJ253iL5pjaY5K5Ek1htj THR+bP8uTJVKVkfboBtn9NGBjpVWqw8NRByFpMBMNAktAiP3aLRD1CDeh9MzCg6i NHbMKFECEtjQI1LYlVCqTuuaRzuI77zDq2iuazEh3L8LG+gzqc9T7rLq+xMzngdX PTheyRHIcSnG0NA2W6GhTA3YU02qer12HjAzhLWew7nTwFq9Y7BYwSJ64YodGaGx mWnWmVVP4cYxA9v33RAtlPktRIzBa49A1zSCDSSY9bG5bCBFz5tXCfrjHDuR2kfd Ud/eCzuFCSQubmNs8VHUAp4Ha3Btd9mi7UQeFKX0J+XGtMrbdU9hpSXJQOrAyboU GWMT5q7WYwvhKhzL4ofZhpvD1DRXHeyOeDX2w76hWLfFf5VYFMD+71yoZ7oj4soj fNqJxK7vofjeGQeUNfK9l3DszU/Q1gY6SO/kf4O/p8ayXlvyOe8585GtVN9LyOTc Xsa79uDTjRj0ccy+DhQ0/hqLuUm/NYy2yKU+wA7RFX4ymMnmABl0a+F0uMI81xRN AytGqB9g3xQz5bAZMnYyT3r+y0zupmIxndjSs5A0s3oK8oTZ/PIb03jeIqJoOyTA pXVFgNLjvZO918IJUJZKZ9LywaLaypf/id7qLmIsNFhUAYVQ ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/67AE595FF4B950C0

http://decryptor.cc/67AE595FF4B950C0

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:388
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1300
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\28366-readme.txt
      Filesize

      6KB

      MD5

      00f55811bfdd029e36e0b4c3df6592a3

      SHA1

      23c1ceab3c5a40322a2bd5fe9c8d1c75d6d86e67

      SHA256

      92ff66fe0051a49dc2bca35725c19eeb01916025b43f8aa21a164c73c154149b

      SHA512

      62e63f3c79dfc6bda45f28f5c6fb7654f11d5b6f5cafcad56afb789e24573b96fb3b85bc68a3eb74ae4dc57def5b6f4b1d108810186f8008ecf29aeec6bb8f75

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwj0hqds.lej.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/388-9-0x00007FFC22BF0000-0x00007FFC236B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/388-8-0x00000191E6C90000-0x00000191E6CB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/388-10-0x00000191E6CF0000-0x00000191E6D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/388-11-0x00000191E6CF0000-0x00000191E6D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/388-12-0x00000191E6CF0000-0x00000191E6D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/388-15-0x00007FFC22BF0000-0x00007FFC236B2000-memory.dmp

      Filesize

      10.8MB

      Download