Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2024, 13:54

General

  • Target

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe

  • Size

    115KB

  • MD5

    7e18b037a068c56417fb8e56aa7e49e8

  • SHA1

    f6739569a24358c8c060d7131be70712f70f36e0

  • SHA256

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed

  • SHA512

    d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d

  • SSDEEP

    1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v

Score
10/10

Malware Config

Extracted

Path

C:\Recovery\qvp4v7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension qvp4v7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/42C0F7653787AFBE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/42C0F7653787AFBE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: AjbFMzk5kOIvFgItj/hoBL2Mc6TZq3AhCBsblkUK6vJkxu/82qUUVkoSHt3DdfL1 ZuXNok7Wy1UdAzkwxmeLsLlNRrPDwWQzGwil5NuvvDabGOECe5vRs4eKd7yWYIaa oPT89LfxTKJexHBlCThZcLMqMl1bbvKf3e/7TBtUWbwGnNqIKIAKvph3K0yGlZfh Ul/MgO3e1btaseoSuD50TCXucq+ZI03WbuPXxPmiOUDlDGxf8Ima7mDV7MnIEXRz UC0CIytaEvUS40vaJR0zLOAKghvMjdF2wMoi1SGq5WCOVVYm6p0Ee4z85nvc/UXu bN8nKCt8jlhfIWkoK6pUyn+kidELRThMC7i5ciFh8lI96OfWeM1aguNvwP9olmTr ahcQSHP+qtjYEKALgxVFgBExbCnrFX+o/PXSPgDWxP73/4svX8arK73ouLKxfYZz MNpztndhXoRAZ0cQB4la0N4K7tT6KjatmscrrOAIx+sAKL610UW825mKZYJN3/jY EUKWRT2SXSHrPQKcxOla/jEcxFZ2HyK31KyKb5GBxcHSW0CrY4i0/02yOFMzu/EC V3eNz4RK3w8Hzz3rao86h7REcnstKBsgp17YdsfAChV22exM48PHs16O8X9JAiG2 d/WFtN4aa1YZuTjb1vi+CjCpsl3TTSXBjfrQ6E5kZobAWXgPd3jJXONW0dtmCze/ bm3+ZAvaxCN8nmnF8N4MVaF60cSaZ17HsSw8FACKF8mH+FRntr46kqfUw3+Thzrv O+d+Uj+TjeCGgIdf1mbvInVvnXZUmpTVczIMmwRnd404lXt2DtF16n35ysvofuq/ OZ/flr3haNw7RmsBsxYe1TQJ6Mj/QaOkWJSWqkozdG5kcGR2Sc2NUYtRoPZkL/Pv NA/f42yMhyO6G9dFRuOoRSU+o7zY/LMA2D2ua8a6kGCeiUIBWKLxLQLQutshQTDI nj2QIjYDJXPLSIzSmahMS7z3LnIiZpPdPXU3wY2UfoGorPm2EtG1kRbM5ExnG4eb Ow54v3q3tZ6jmPpe60QZKIt54Kw/MFYIX31HAMuT7/dI3Yhu6whhGBomNS+Jr2tM creUMsnT16s7tOihW7L9PcKpqF28XevYKCkT1JOUdutu60jyHXIydJETdY5k8A3H bOJLVdUOUZ7CL3a7pDnkf1FFG1qgMPM0pKfnoMcHp4uwPg3d5Acmt8gg5FrmS+r3 r+GRw6qHxNzyldmEOycbDa5SY7+rktUomdpuFr9N5n8Gcvrre7+ZvVh5DuHquCTR bK8QDVv8aHf0wsoZo/31OVi9JDN3qyYHJXFoWHSI9LF/h4+vp7/py0O4R4Os+Lft OkBjMuuvRC6kq8PzGbcSRmNCKq42gIze4zFQmHESbl8Ys2GzcBY= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/42C0F7653787AFBE

http://decryptor.cc/42C0F7653787AFBE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
    "C:\Users\Admin\AppData\Local\Temp\81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\qvp4v7-readme.txt

    Filesize

    6KB

    MD5

    f789525bd50561fb1518fc70c0e34d48

    SHA1

    556bddda578fecda9beaf0fd1d90776d298cc0d5

    SHA256

    f60353f6fc95df31cddf51ebc3bf375309531963442fd653eb2003378f95931e

    SHA512

    4bc60d27ce5c1070f63a76f14459a01013fe3c3deb7ecd7ff673098bee7c7328b21d03146f1ac5edb3adaef73d04423d779a2b055a59f591652e59557a7e8519