Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13/02/2022, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
-
Size
34KB
-
MD5
d236fcc8789f94f085137058311e848b
-
SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee
-
SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d
-
SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus
<!SATANA!>
To decrypt you need send on this E-mail: [email protected]
your private code: A3D90235E1136671AB1195C6078184FF and pay on
a Bitcoin Wallet: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG total 0,5 btc
After that during 1 - 2 days the software will be sent to you - decryptor -
and the necessary instructions. All changes in hardware configurations of
your computer can make the decryption of your files absolutely impossible!
Decryption of your files is possible only on your PC!
Recovery is possible during 7 days, after which the program - decryptor -
can not ask for the necessary signature from a public certificate server.
Please contact via e-mail, which you can find as yet in the form of a text
document in a folder with encrypted files, as well as in the name of all
encrypted files.If you do not appreciate your files we recommend you format
all your disks and reinstall the system. Read carefully this warning as it is
no longer able to see at startup of the computer. We remind once again- it is
all serious! Do not touch the configuration of your computer!
E-mail: [email protected] - this is our mail
CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send
BTC: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG here need to pay 0,5 bitcoins
How to pay on the Bitcoin wallet you can easily find on the Internet.
Enter your unlock code, obtained by E-mail here and press "ENTER" to
continue the normal download on your computer. Good luck! May God help you!
<!SATANA!>
Emails
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 464 buj.exe -
Deletes itself 1 IoCs
pid Process 464 buj.exe -
Loads dropped DLL 5 IoCs
pid Process 1628 ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe 1628 ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe 1628 ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe 1628 ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe 464 buj.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\cocc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 buj.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png buj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif buj.exe File created C:\Program Files\VideoLAN\VLC\locale\da\!satana!.txt buj.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\!satana!.txt buj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif buj.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\!satana!.txt buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png buj.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt buj.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png buj.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml buj.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\!satana!.txt buj.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\!satana!.txt buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png buj.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\!satana!.txt buj.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\!satana!.txt buj.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\!satana!.txt buj.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml buj.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\!satana!.txt buj.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\!satana!.txt buj.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\!satana!.txt buj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif buj.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt buj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml buj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png buj.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\!satana!.txt buj.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\!satana!.txt buj.exe File created C:\Program Files\Java\jre7\lib\zi\SystemV\!satana!.txt buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png buj.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\!satana!.txt buj.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\!satana!.txt buj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml buj.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\!satana!.txt buj.exe File created C:\Program Files\Windows NT\TableTextService\en-US\!satana!.txt buj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif buj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DissolveNoise.png buj.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\!satana!.txt buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png buj.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\!satana!.txt buj.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\!satana!.txt buj.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\!satana!.txt buj.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif buj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp buj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png buj.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\!satana!.txt buj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\[email protected]___bg_GreenTea.gif buj.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt buj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png buj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml buj.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\!satana!.txt buj.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\!satana!.txt buj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg buj.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\!satana!.txt buj.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip buj.exe File created C:\Program Files\Windows Media Player\de-DE\!satana!.txt buj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml buj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right_over.gif buj.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\!satana!.txt buj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml buj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml buj.exe File created C:\Program Files\Microsoft Games\Hearts\de-DE\!satana!.txt buj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 836 VSSADMIN.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 464 buj.exe Token: SeBackupPrivilege 1556 vssvc.exe Token: SeRestorePrivilege 1556 vssvc.exe Token: SeAuditPrivilege 1556 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1628 wrote to memory of 464 1628 ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe 27 PID 1628 wrote to memory of 464 1628 ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe 27 PID 1628 wrote to memory of 464 1628 ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe 27 PID 1628 wrote to memory of 464 1628 ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe 27 PID 464 wrote to memory of 836 464 buj.exe 28 PID 464 wrote to memory of 836 464 buj.exe 28 PID 464 wrote to memory of 836 464 buj.exe 28 PID 464 wrote to memory of 836 464 buj.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe"C:\Users\Admin\AppData\Local\Temp\ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\buj.exe"C:\Users\Admin\AppData\Local\Temp\buj.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\EE9377~1.EXE"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\VSSADMIN.EXE"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:836
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556