Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2024, 22:41

General

  • Target

    2024-03-09_e30ef3b089106a1c524824b05c8af086_revil.exe

  • Size

    123KB

  • MD5

    e30ef3b089106a1c524824b05c8af086

  • SHA1

    c4528054e0051fd8c337be43bb93d6c2ec94c51b

  • SHA256

    2437818086f564a597c703b42e8a4dd1aa25bbd22d20b7e734ca00a9b92f6103

  • SHA512

    c82c3cb77eec2e5ac9c2d977f7e22baab9e710b6dcad160f79078eb38c3d4f70ec3f86f44fffb45da68d9409d615b1e66d643d08c7aa763f350709cac931a4a8

  • SSDEEP

    1536:7DvcP3LThpshw4s5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxi:y4S4haNcYM8gnBR5uiV1UvQFOxi

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr

Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\2zuun-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2zuun. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2F130E343694881C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2F130E343694881C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: w+ndQXaUWJXw5/X448pLEhRRIiTOxmtRLxI1I0Y4JYkTkWWBVsvtf9Z6tEE9ZigJ IzOm4n5o4BFndQKoNnviQ8FomIyAlffSaPBdteDyfwEDphKNmEcv6EgHnaKKE5Uc PI9GEFMWBhfIObR8vqq8BFCSSJggE1Mb9bYm7ff7hEbQellnBYBr3UKq7uh6k6m+ Iz0fly79y23/ER2XnV1x2013F9cOcdqA6jm6ZRN3bDf8mH34hYMecJUV8soKj9yg wP/zG9tbuOJGWsPF2vSHEKz0IhTcZvrX7bOIBpg3YK5eLWR094NQODxpZYvSeedS XSUa0hEpjHixr0i/sxL3PPOwQm08EGlDkuyBcrVdh/LWLuSZFCE0sAWF6Ytw3idj gGWLFkHUyRwQWKcLB0AMGk2+YcZEUMagF/QKP83vbbwOaL8cLhBFFPRy0SYjRDBO yYXiMCjSMSsWauGucS3aHw/RwELzh2tJ1gog+N5WGf4dXDYGmlN4o9UwCdOKW05P PKQsYc51nqgHJI+vBZ9yPX7nVkP6g2HDNkS6K+gmYh0b/hadSqsUN6sP9jt9apPL yBei0C3hG4N1eNnE/+NxXor8Rqp+Lfz253Swxe5jkSgXd3jDzrsAoB9e+4BvxFkJ hRojLoH/+1jmSKYYQYH8JOktKiUyL3esWwhmM7JV49hwQ65qMVLHbd+EM0uF1Cpd d4kXBWtEfekmhm0pdnk8/R6Z1WjjV+WYdRS5wPXxWe872sRbElrzIovyTeIHAkhv VOPbDBcvN32bd/S8M7Hd6i0P6qwJF1LFF91YqR2maqprINAwH0IZKuNpkcmJxYwx lq9IOVKHyDXIrpV6wHmk0MRhZycvAyVBFwmyD8olWXRBTsKXVvC4n9WAsxaAlk/J fZ6BuUCFRU70HOt0usiLhbDQKrE6GkyEnFTDaZj7hxXwDfcjb4wrBZS0Q9DHnzOA xfKU+zj8WC7JsG+ynGA400fTDNnoIKY6LUM+9VKbRIWYeF4TkpiZGiHA0jHesAI7 BV8+IoQ++R1z2UH8sh74Q4WJ17PgJo/hUcynV4qiJ/38Tv+fC1MssqNiO9x/lvLb xS29ALcuqc0Z6XeW59SB/JNeXTl0KxgTd7A5B6MTB4DwPWH/Hfn8yTUigsQHBX/H /QbKTLieE3y6hD6fe+StmUDx+CBuq6L4nvxWaoo/qCkN8QpsjN5Yw5vYYo/AVLTe zSGwn/ZqemCQuhJAfTJMbUsOH3ngap88fiZKNHz79z5+sl7lzgPx0KB/Mc4fRlAP hb1ljUwIhogiNwhY70XFmiIjK+aiO/eoSJlLKaaIkXUPx5uEMQ5AUDym8smOl9pH 5iQ0/3N771cpOHU3rzqeUg8SclZEXnuzZdfadOOS ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2F130E343694881C

http://decryptor.cc/2F130E343694881C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-09_e30ef3b089106a1c524824b05c8af086_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-09_e30ef3b089106a1c524824b05c8af086_revil.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2256
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\2zuun-readme.txt

      Filesize

      6KB

      MD5

      76cfc4ee207cdae8e92f377ac674a159

      SHA1

      b411f83fed34af510404fcfcc3d59a397b32d344

      SHA256

      9b275c0a71dd8534061ec936244dd0f24ac0bdf2bcaae3e49edc304297f6da3d

      SHA512

      f8e408bf75ced8421c5f4dc68979ef5fa5741369a9d0ba8fc1f618f324898ab65a375b0aa9cf5ce2db4726b1361a5e4403d6064402027df7acba2b825e703513

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    • C:\Users\Admin\AppData\Local\Temp\Cab672E.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar7097.tmp

      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    • C:\Windows\System32\catroot2\dberr.txt

      Filesize

      192KB

      MD5

      0aa46d5e20d6ebbf5a30d0ef808e5710

      SHA1

      b35d623eaaf6e27ebaa56073b7a33c86268952e2

      SHA256

      6493b420e19339c927de6d70491f9ad4d877cedaa085d626460025699c122712

      SHA512

      b330ee787534cb378f2c19cc82dde41565a807f00132c048d69b6ead9ecd07a00cb5e257052d67d9952cb1b987a7fea350c570a7b980a1322803506fa8c17a35

    • memory/2112-0-0x0000000001160000-0x0000000001182000-memory.dmp

      Filesize

      136KB

    • memory/2112-446-0x0000000001160000-0x0000000001182000-memory.dmp

      Filesize

      136KB

    • memory/2192-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

      Filesize

      9.6MB

    • memory/2192-12-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

      Filesize

      9.6MB

    • memory/2192-10-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

    • memory/2192-11-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

    • memory/2192-9-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

      Filesize

      9.6MB

    • memory/2192-8-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

    • memory/2192-7-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB

    • memory/2192-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

      Filesize

      2.9MB