satana | b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7

Analysis

max time kernel
165s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
13/02/2022, 12:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe
Size

72KB
MD5

2c0d06420d5af53d3324717bc2e4f280
SHA1

f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
SHA256

b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
SHA512

7e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583

Score

10^/10

satana persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: khoperia331@mail.com your private code: 2811CAB3DC2A63CEB89AED116AECF3F1 and pay on a Bitcoin Wallet: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: khoperia331@mail.com - this is our mail CODE: 2811CAB3DC2A63CEB89AED116AECF3F1 this is code; you must send BTC: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

khoperia331@mail.com

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggwnqnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4168"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.644119"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.027052"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4400"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.368665"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894049420648817"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe
Token: SeRestorePrivilege	2980	TiWorker.exe
Token: SeSecurityPrivilege	2980	TiWorker.exe
Token: SeBackupPrivilege	2980	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe
"C:\Users\Admin\AppData\Local\Temp\b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe"
1⤵
- Adds Run key to start application
PID:1728

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3392

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2980

Network

DNS

geo.prod.do.dsp.mp.microsoft.com

NetworkService

Remote address:

8.8.8.8:53

Request

geo.prod.do.dsp.mp.microsoft.com

IN A

Response

geo.prod.do.dsp.mp.microsoft.com

IN CNAME

geo.prod.do.dsp.trafficmanager.net

geo.prod.do.dsp.trafficmanager.net

IN CNAME

array616.prod.do.dsp.mp.microsoft.com

array616.prod.do.dsp.mp.microsoft.com

IN A

20.54.25.4
DNS

kv801.prod.do.dsp.mp.microsoft.com

NetworkService

Remote address:

8.8.8.8:53

Request

kv801.prod.do.dsp.mp.microsoft.com

IN A

Response

kv801.prod.do.dsp.mp.microsoft.com

IN CNAME

kv801.prod.do.dsp.mp.microsoft.com.edgekey.net

kv801.prod.do.dsp.mp.microsoft.com.edgekey.net

IN CNAME

e12437.g.akamaiedge.net

e12437.g.akamaiedge.net

IN A

184.29.205.60
GET

https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1

NetworkService

Remote address:

184.29.205.60:443

Request

GET /all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: dPWM5xm4ekSNTmjw.2.1.1
Content-Length: 0
Host: kv801.prod.do.dsp.mp.microsoft.com

Response

HTTP/1.1 200 OK

Content-Type: text/json
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 808
Cache-Control: max-age=25
Date: Sun, 13 Feb 2022 12:22:28 GMT
Connection: keep-alive
DNS

cp801.prod.do.dsp.mp.microsoft.com

NetworkService

Remote address:

8.8.8.8:53

Request

cp801.prod.do.dsp.mp.microsoft.com

IN A

Response

cp801.prod.do.dsp.mp.microsoft.com

IN CNAME

cp801.prod.do.dsp.mp.microsoft.com.edgekey.net

cp801.prod.do.dsp.mp.microsoft.com.edgekey.net

IN CNAME

e12437.g.akamaiedge.net

e12437.g.akamaiedge.net

IN A

184.29.205.60
GET

https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

NetworkService

Remote address:

184.29.205.60:443

Request

GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.1.1.1
Content-Length: 0
Host: cp801.prod.do.dsp.mp.microsoft.com

Response

HTTP/1.1 200 OK

Content-Type: text/json
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 370
Cache-Control: max-age=33044
Date: Sun, 13 Feb 2022 12:22:40 GMT
Connection: keep-alive
GET

https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

NetworkService

Remote address:

184.29.205.60:443

Request

GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.2.1.1
Content-Length: 0
Host: cp801.prod.do.dsp.mp.microsoft.com

Response

HTTP/1.1 200 OK

Content-Type: text/json
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 370
Cache-Control: max-age=33044
Date: Sun, 13 Feb 2022 12:22:40 GMT
Connection: keep-alive
DNS

226.101.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.101.242.52.in-addr.arpa

IN PTR

Response

104.80.224.57:443

322 B
7
93.184.220.29:80

260 B
5
93.184.220.29:80

260 B
5
20.50.201.200:443

40 B
1
93.184.220.29:80

322 B
7
20.54.25.4:443

geo.prod.do.dsp.mp.microsoft.com

tls, https

NetworkService

1.2kB
3.5kB
12
9
184.29.205.60:443

https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1

tls, http

NetworkService

1.2kB
7.8kB
11
13

HTTP Request

GET https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1

HTTP Response

200
185.127.26.186:80

b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe

260 B
5
184.29.205.60:443

https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

tls, http

NetworkService

1.4kB
7.3kB
11
13

HTTP Request

GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

HTTP Response

200
184.29.205.60:443

https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

tls, http

NetworkService

1.4kB
7.3kB
11
13

HTTP Request

GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

HTTP Response

200

8.8.8.8:53

geo.prod.do.dsp.mp.microsoft.com

dns

NetworkService

78 B
165 B
1
1

DNS Request

geo.prod.do.dsp.mp.microsoft.com

DNS Response

20.54.25.4
8.8.8.8:53

kv801.prod.do.dsp.mp.microsoft.com

dns

NetworkService

80 B
190 B
1
1

DNS Request

kv801.prod.do.dsp.mp.microsoft.com

DNS Response

184.29.205.60
8.8.8.8:53

cp801.prod.do.dsp.mp.microsoft.com

dns

NetworkService

80 B
190 B
1
1

DNS Request

cp801.prod.do.dsp.mp.microsoft.com

DNS Response

184.29.205.60
8.8.8.8:53

226.101.242.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

226.101.242.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.