Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    165s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    13/02/2022, 12:21

General

  • Target

    b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe

  • Size

    72KB

  • MD5

    2c0d06420d5af53d3324717bc2e4f280

  • SHA1

    f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa

  • SHA256

    b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7

  • SHA512

    7e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 2811CAB3DC2A63CEB89AED116AECF3F1 and pay on a Bitcoin Wallet: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 2811CAB3DC2A63CEB89AED116AECF3F1 this is code; you must send BTC: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe
    "C:\Users\Admin\AppData\Local\Temp\b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe"
    1⤵
    • Adds Run key to start application
    PID:1728
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:2032
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3392
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads