Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13/02/2022, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe
Resource
win10v2004-en-20220113
General
-
Target
b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe
-
Size
73KB
-
MD5
d4b7c1a8597b37290ce836cdebdd1b1f
-
SHA1
621a3838729afc06e7f9d678e06f3a2ffb28cfdd
-
SHA256
b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9
-
SHA512
4273cb57fb01b841784a91fe03a050be59f62535e1f34df503f2f1677bce9677ae8367384882b9dabe06c992d1d953f005e70d0f0754533df15c8b70ae236f30
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Executes dropped EXE 1 IoCs
pid Process 4396 oyqqqdt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxqj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 oyqqqdt.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4396 oyqqqdt.exe Token: SeShutdownPrivilege 2888 svchost.exe Token: SeCreatePagefilePrivilege 2888 svchost.exe Token: SeShutdownPrivilege 2888 svchost.exe Token: SeCreatePagefilePrivilege 2888 svchost.exe Token: SeShutdownPrivilege 2888 svchost.exe Token: SeCreatePagefilePrivilege 2888 svchost.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2712 wrote to memory of 4396 2712 b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe 89 PID 2712 wrote to memory of 4396 2712 b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe 89 PID 2712 wrote to memory of 4396 2712 b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe"C:\Users\Admin\AppData\Local\Temp\b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\oyqqqdt.exe"C:\Users\Admin\AppData\Local\Temp\oyqqqdt.exe" {ea90e9d2-74a7-11ec-b993-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\B99319~1.EXE"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3112