Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:54
Static task
static1
Behavioral task
behavioral1
Sample
81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
Resource
win10v2004-20240226-en
General
-
Target
81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
-
Size
115KB
-
MD5
7e18b037a068c56417fb8e56aa7e49e8
-
SHA1
f6739569a24358c8c060d7131be70712f70f36e0
-
SHA256
81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed
-
SHA512
d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d
-
SSDEEP
1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v
Malware Config
Extracted
C:\Users\895v7d4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8FB5E2E73DC15E63
http://decryptor.cc/8FB5E2E73DC15E63
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\N: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\P: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\Q: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\Y: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\Z: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\A: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\T: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\F: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\B: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\J: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\K: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\S: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\I: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\M: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\V: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\D: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\L: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\U: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\X: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\E: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\G: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\R: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\O: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened (read-only) \??\W: 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\995.bmp" 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File created \??\c:\program files\895v7d4-readme.txt 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\MoveWrite.png 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\895v7d4-readme.txt 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\CompressNew.ADTS 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\DismountCopy.vsw 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\PingConvertTo.wmv 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\AssertUndo.xlsm 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\ConfirmRedo.clr 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\895v7d4-readme.txt 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\895v7d4-readme.txt 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\JoinSearch.mp3 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\SendUse.ogg 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\WriteRedo.vdx 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File created \??\c:\program files (x86)\895v7d4-readme.txt 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\AddCompare.shtml 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\ClearResolve.mpeg2 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe File opened for modification \??\c:\program files\ConvertWait.wmv 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2340 81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe"C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD54b76d9a31387d757e50f9061af03a3f1
SHA16a4e72c11d83e6c25746a937f82c901a3f52fb7a
SHA256032748a5abb11931828e3ad2d362505fb530e227a29acee52805c1a636cb9fa6
SHA512ab26147951011bf51fc0d43f190c59c6a507dd71057ea99b6b277965484c10a41c07b47077afd0aa5cf5ad986ca2119bbe7b75e4a91161b4d9cfcf6f4618ed29