Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.msi

windows10-ltsc_2021-x64

Ransomware...KB.msi

windows7-x64

Ransomware...KB.msi

windows10-2004-x64

Ransomware...KB.msi

windows10-ltsc_2021-x64

Ransomware...KB.msi

windows11-21h2-x64

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

5

Ransomware...KB.ps1

windows10-ltsc_2021-x64

Ransomware...KB.ps1

windows7-x64

Ransomware...KB.ps1

windows10-2004-x64

Ransomware...KB.ps1

windows10-ltsc_2021-x64

Ransomware...KB.ps1

windows11-21h2-x64

Resubmissions

25/03/2025, 15:11

250325-skmbpsxzaw 10

25/03/2025, 15:06

250325-sg1d6a1px2 10

25/03/2025, 15:01

250325-sd5jpsxyct 10

25/03/2025, 14:56

250325-sbdcfaxxgs 10

25/03/2025, 14:50

250325-r7ve6a1nv3 10

25/03/2025, 14:46

250325-r5ab7sxwhx 10

25/03/2025, 14:40

250325-r2c9paxwe1 10

05/02/2025, 10:25

250205-mgcefaslhw 10

05/02/2025, 10:17

250205-mbs51atmbk 10

05/02/2025, 09:15

250205-k785zs1pfn 10

Analysis

  • max time kernel
    108s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe

  • Size

    252KB

  • MD5

    1ce1ca85bff4517a1ef7e8f9a7c22b16

  • SHA1

    f35f0cd23692e5f5d0a3be7aefc8b01dfdd4e614

  • SHA256

    06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851

  • SHA512

    6e67fa01a8792453b148074fe027def90e1d3f6042037216986ee9e3d0c436c177764bc5e5900dbbab91e10d8a3c86a2ea04ef547149bfc92a33ec0236759949

  • SSDEEP

    6144:Rb8oNGxoFlv2ynsDJv++C3uGsKTYZH7nJHVyjG7q9J4:RTvnOdtC+GENnvyjGN

Score
10/10
sodinokibi5367defense_evasiondiscoveryexecutionimpactransomwarespywarestealerupx

Malware Config

Extracted

Family

sodinokibi

Botnet

5

Campaign

367

Decoy

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua
Attributes
  • net

    true

  • pid

    5

  • prc

    wordpad.exe

    outlook.exe

    tbirdconfig.exe

    agntsvc.exe

    thebat.exe

    mydesktopservice.exe

    sqbcoreservice.exe

    thunderbird.exe

    ocomm.exe

    excel.exe

    thebat64.exe

    steam.exe

    xfssvccon.exe

    firefoxconfig.exe

    sqlagent.exe

    ocssd.exe

    mydesktopqos.exe

    msaccess.exe

    isqlplussvc.exe

    mspub.exe

    winword.exe

    sqlbrowser.exe

    dbeng50.exe

    sqlservr.exe

    oracle.exe

    encsvc.exe

    powerpnt.exe

    dbsnmp.exe

    infopath.exe

    ocautoupds.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    367

Extracted

Path

C:\Users\k30zg2xv-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion k30zg2xv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1253381EA533C8F3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/1253381EA533C8F3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: RTM6vCJhfwvNUpBHHLiMCA5BsKYnKwcZgNg349zGbGHWB8oet6ZcolATm9HStIgQ 7IoyZ+VMuQEMEsQG4Dy2s7puI9WB9QNVs0z1Kd9Y9vNvqEJX6nUMJ8ZM+w+p6fzz DqeA3HQ9tWK0vEOrIMlS+cQKtmkcCAdGreEPpVTisdIB7fj9/wKNTfx54ZzDaaT+ rGvLK0H/z4SCP4D4CcXHiqVwydGNEZzkT5DjgwLgXMmKjPX/eFE1rv/XoIMm7exV VJxLNQpGweFDKDGM/RJP+lY580I+3Fbt9abiIKFcGN5ubsnGfIYfvmdyKRrBgBlQ wyEoIBzAUOScIihbOc4dF2qcIOALUiH938C6a4tQg2lg/jizC9Xprub2aepXJOFc 7P41hOUy5rKaQQJh8ItaEg5THIr57joDdH2d1vG0R8AZetoXjNhpXsMJAoOGjPcp X6tFcqh89RoEeSbYnOjUGjiSE3GTYrR8O5v3ViwNFWWSabudtyMeADckHjDoQk8A DI/cDDSLkeQOpi6YcKwXoLTc9akX3b5Y3QKsZ5qbcDgc+nmla4xUCQ+yqV9U4ak3 lKHcEc3SYxx3XtTocmLAhT4LqI5SRpmXhBerRW6B3SfyVbanoBz9L0dRFmUvv0vO /oBLTlHa6fEz7YjBPXhTNchiiNBUglyQQArTRAz0CLraZmfVD540nWW97wPMGu1r /oAIMgTRd3SRo3KZ0mDEtvPQY0Lvn1jWxcu2nxo3rz5GFezPkgUlsdGoKcGtFQwA /hEvxDDHEF/D8c4axBOYEr6F9fbOPtzFgaWDQ6t0qDrW62x7B/I7mUd/B9jXPp85 XXA/F98D+6TkfPvE5KPrnubDRq9laSHDuD/LP52uFFkqvRpoo0zsf4YwN8je2f1G FgsPK77P4kJke8Fy2OW/V6WGT8IJ48xAapxkdXONN7QrhKhdJdajBe9lhG8+mBaE P6czjbrNvs4SW4iUdNzDyP7srLbQ1D+wgVNRNOqIVAxNI4S+wR+2ldT+yyVRbw7r btxY8XDRpagCJ4aBycst9xns0x+2AmtkA6qwtNZQX9aG2J9giwgOR3rs4aJHSHHq a3VhPW8BekcnZ+tOzq1fSQb81nVe95JIc6a9iA1vxmEE6yNWC7cm7dqEF6Cypb+n JJJL81FwXmFP3iKENKD4ORijil4t6C3mkP/Grtl7xhuoLtsqiatuHErjM9Uygs7O /yFBrvdLTL2u5e+T Extension name: k30zg2xv ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1253381EA533C8F3

http://decryptor.top/1253381EA533C8F3

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Sodinokibi_04_07_2019_253KB.exe
    C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Sodinokibi_04_07_2019_253KB.exe bcdedit /set shutdown /r /f /t 2
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1600
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar3200.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • C:\Users\k30zg2xv-readme.txt
    Filesize

    6KB

    MD5

    e735ad70697d73470f34b8244511f8a0

    SHA1

    90e55e6aec496b211aad20f53530e554b1b713ba

    SHA256

    2ab42cb7f1eadeeb391b85d69569a3d32ec16ef7112ba2827846c04c769caf4e

    SHA512

    061ad786a460dd71e723de927c58693fd193ec51aaacd39baefc469a5c7f1f13efcca26fe0141f23ac1776124ce253a56cd636e0728af13f498f83fc77d932c1

    Download Submit

  • memory/2904-11-0x00000000002A0000-0x00000000002A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2904-16-0x00000000005A0000-0x00000000006A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2904-8-0x00000000022F0000-0x000000000241D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2904-0-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2904-7-0x0000000002060000-0x00000000020FF000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2904-6-0x0000000002220000-0x00000000022E9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/2904-10-0x0000000002600000-0x0000000002709000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2904-9-0x00000000003C0000-0x00000000003DF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2904-12-0x00000000002A0000-0x00000000002A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2904-15-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2904-14-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2904-5-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2904-17-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2904-19-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2904-4-0x0000000000220000-0x000000000022A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2904-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2904-2-0x00000000005A0000-0x00000000006A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2904-545-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2904-546-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2904-548-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2904-550-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2904-551-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download