Overview
overview
10Static
static
10bazaar.202...ge.exe
windows11-21h2-x64
1bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
6bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...32.exe
windows11-21h2-x64
7bazaar.202...RC.exe
windows11-21h2-x64
1bazaar.202...oad.js
windows11-21h2-x64
3bazaar.202...nt.exe
windows11-21h2-x64
7bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
6bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
6bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10bazaar.202...in.dll
windows11-21h2-x64
10Resubmissions
05/02/2025, 06:51
250205-hmnx7swpgk 1005/02/2025, 06:49
250205-hlsvrswpdj 1028/04/2024, 18:31
240428-w6cwyaec5v 1021/04/2024, 08:57
240421-kwwqhsfh8z 1021/04/2024, 05:45
240421-gfvazacf82 1018/04/2024, 19:05
240418-xry2ascb73 1018/04/2024, 16:34
240418-t3alashf75 1004/03/2024, 18:33
240304-w7b12ahg61 10Analysis
-
max time kernel
1480s -
max time network
1510s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/03/2024, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral8
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral9
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral11
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240221-en
Behavioral task
behavioral12
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral13
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win11-20240221-en
Behavioral task
behavioral14
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.NetWiredRC.exe
Resource
win11-20240221-en
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Trojan-Downloader.Script.SLoad.js
Resource
win11-20240221-en
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Trojan-PSW.MSIL.Agent.exe
Resource
win11-20240221-en
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
Behavioral task
behavioral32
Sample
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Resource
win11-20240221-en
General
-
Target
bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
-
Size
166KB
-
MD5
3cd7e62bc197926278810ea5f6adff19
-
SHA1
ad18b4f27039aa3b3ca59b7b6d8ea5cb309d78a7
-
SHA256
2a28f11ca820bd0bde24d41cb5307c8f2fa70174536ac13a99923ba70015b36f
-
SHA512
214852706e4bb89464a92625e3594b19afe4c99157d1706493e4114ac5510a64d3af7ff88f09273c67ad3d20f1ead61e8740acc4147432c64755e9eccbac7c71
-
SSDEEP
3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3Q44CTrZmDa:NJ0BXScFyfC3Hd4ygmoD
Malware Config
Extracted
C:\Recovery\88zx08o-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/33A76849D67C8310
http://decryptor.cc/33A76849D67C8310
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created \??\c:\program files\88zx08o-readme.txt rundll32.exe File opened for modification \??\c:\program files\ClearExpand.au3 rundll32.exe File opened for modification \??\c:\program files\OpenUnblock.xml rundll32.exe File opened for modification \??\c:\program files\OutExport.jfif rundll32.exe File opened for modification \??\c:\program files\RestartCopy.xltx rundll32.exe File opened for modification \??\c:\program files\SubmitComplete.TTS rundll32.exe File created \??\c:\program files (x86)\88zx08o-readme.txt rundll32.exe File opened for modification \??\c:\program files\InstallSplit.easmx rundll32.exe File opened for modification \??\c:\program files\JoinResolve.xps rundll32.exe File opened for modification \??\c:\program files\RedoSuspend.css rundll32.exe File opened for modification \??\c:\program files\SelectFind.3g2 rundll32.exe File opened for modification \??\c:\program files\UpdateSave.xml rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3872 rundll32.exe 3872 rundll32.exe 3856 powershell.exe 3856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3872 rundll32.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeBackupPrivilege 4788 vssvc.exe Token: SeRestorePrivilege 4788 vssvc.exe Token: SeAuditPrivilege 4788 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1332 wrote to memory of 3872 1332 rundll32.exe 77 PID 1332 wrote to memory of 3872 1332 rundll32.exe 77 PID 1332 wrote to memory of 3872 1332 rundll32.exe 77 PID 3872 wrote to memory of 3856 3872 rundll32.exe 78 PID 3872 wrote to memory of 3856 3872 rundll32.exe 78 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:388
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD587b42f4f60ac6d529c3b6f989ad9c0da
SHA1988b0b1714d15a628837f872d6f9b259da7f498b
SHA25635697969b31f7badd922298a62484f7527ec35568d95cd31b8293e196e9996b9
SHA512d35671ae1cb30fe239afd122c5ba261fbccb2e8fdae8de10200201f89d3115a961efa89897598a84fa9030c86215eb27871bda4633014ceb8dd47c37ccf97349
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82