Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/04/2024, 13:54

General

  • Target

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe

  • Size

    115KB

  • MD5

    7e18b037a068c56417fb8e56aa7e49e8

  • SHA1

    f6739569a24358c8c060d7131be70712f70f36e0

  • SHA256

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed

  • SHA512

    d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d

  • SSDEEP

    1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v

Score
10/10

Malware Config

Extracted

Path

C:\Users\895v7d4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 895v7d4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8FB5E2E73DC15E63 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/8FB5E2E73DC15E63 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: RQmG58L2yT21TTI+gen5uJ/MrClXxozbgbX2GkiUIPryF9zUdiBBG/KUKu/aigRG VAlUwsUU5o9MjQjDvbPYb5dbN5d7hmNI1IGx16Pha8bg56DG1ShZShFEpKi5eaN4 D7WsNPkCn6ZUuxrQxf0M+QzxmSdMI1ab3VyxjB6IKSevQofLa2ce0yYZzHi5AIDc TMk0O1FvCffxj+/m4KSEYAqVx2yba9gZAG5TCmukeKqUEEIM7R9ViR+pIC8U+ihW CxVLj6usXnt/1e/a1EJ5tbUNfsDSfPU7+6rGnlJn2AY972FlJ3HiPxDonSKJwD+H UObFebMCcJGX70zMkibSVXdBcDJh6rM59m5plTGqA+xN3Swi2IhUYthqLpM0aprR uRl4Xa1GOLDd4cPNcOi9HIRmK5YavvsYi02InUZ3dMvetlW57eM4Pz3NftWOpYGu jmkKH72hs+QCAdPNgyE8PtSrFps3uABPo4dQZy+Rb97U1b3xpu5RPaUxTkBI3+RV FwHFIMeWFWAq7eeDc/lxo41o8X92lSOQVSjYE48XtBpoPJT+JP1FIzjo87/QQePr Fh+PTDb6VPSVTOarFZs6hRcCpzQTrLPUpN0f3PimO5eEUz5ZcANFgVUTLA2//PHo hra/3WZVGQ5/4hcTsgpKdABGS/AkU6U/vlwn3C1snJzwcdrfTR9vKRDv2tcx/XYD JpYKulyKn8IP4Kyn/DHXHshzC05LB8HBAh5nOA1yOT6pc0ZVNRwKqtk+N7EhL7NY ekU2UKbOYDEyeA0YK+c2WXyytlR9beM7PjADbC6MobhWzwV39EfLICZnOIROToY9 c7qZPKomFlls2Vc9/PzsWboUl9FolNL4FpOd7fFd1bJUSXyZUjhiRQsfNOWyOQNo wLRJXgr/NPDWIOzetKenSRsMijnXUM4qR2anyRdSjOKutivV9bNzZcN858EzLNrQ 3sfUGQvbRLB1/5uTsTkAPii/TNToanoHvKiIUD2OujVJqVnTAEjEcs95/JXyCB0X o7qRI2opMiVXJU1h33t2i8/A6rn96MWZq/g+iDGbZSvYS9V8LNaZtsW3cFToViVL 9ivDfo+f1ezGrXrb/K3RppKL7U27+FyDp/krVN3YUJqia5LmlNim7Sjlm0R7IpOy uN7XHtOLnoCPam3JSjrYKIzg6RYl05PCk/CSFwT8GiLtLJRHgcFZsOKUgmHfOVsw ncmo+191JslqFPn2EK9qYP9Mn3FJ66GKAsNwJcZmsggm9zxJflSCyhz+BpKF22dq jj/ojaK9Ag94yCNqO4WwQZUx3SlAbLBIUZEYFBZXBejlKMHVV4q2jmC6UEh5ocO0 RX6J14bYb642SXeqdSgiYQgwQ71+4fE72JsNYTvJypgJgw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8FB5E2E73DC15E63

http://decryptor.cc/8FB5E2E73DC15E63

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
    "C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\895v7d4-readme.txt

    Filesize

    6KB

    MD5

    4b76d9a31387d757e50f9061af03a3f1

    SHA1

    6a4e72c11d83e6c25746a937f82c901a3f52fb7a

    SHA256

    032748a5abb11931828e3ad2d362505fb530e227a29acee52805c1a636cb9fa6

    SHA512

    ab26147951011bf51fc0d43f190c59c6a507dd71057ea99b6b277965484c10a41c07b47077afd0aa5cf5ad986ca2119bbe7b75e4a91161b4d9cfcf6f4618ed29