Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    165s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    13/02/2022, 12:21 UTC

General

  • Target

    b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe

  • Size

    72KB

  • MD5

    2c0d06420d5af53d3324717bc2e4f280

  • SHA1

    f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa

  • SHA256

    b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7

  • SHA512

    7e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: khoperia331@mail.com your private code: 2811CAB3DC2A63CEB89AED116AECF3F1 and pay on a Bitcoin Wallet: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: khoperia331@mail.com - this is our mail CODE: 2811CAB3DC2A63CEB89AED116AECF3F1 this is code; you must send BTC: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>
Emails

khoperia331@mail.com

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe
    "C:\Users\Admin\AppData\Local\Temp\b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe"
    1⤵
    • Adds Run key to start application
    PID:1728
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:2032
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3392
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2980

Network

  • flag-us
    DNS
    geo.prod.do.dsp.mp.microsoft.com
    NetworkService
    Remote address:
    8.8.8.8:53
    Request
    geo.prod.do.dsp.mp.microsoft.com
    IN A
    Response
    geo.prod.do.dsp.mp.microsoft.com
    IN CNAME
    geo.prod.do.dsp.trafficmanager.net
    geo.prod.do.dsp.trafficmanager.net
    IN CNAME
    array616.prod.do.dsp.mp.microsoft.com
    array616.prod.do.dsp.mp.microsoft.com
    IN A
    20.54.25.4
  • flag-us
    DNS
    kv801.prod.do.dsp.mp.microsoft.com
    NetworkService
    Remote address:
    8.8.8.8:53
    Request
    kv801.prod.do.dsp.mp.microsoft.com
    IN A
    Response
    kv801.prod.do.dsp.mp.microsoft.com
    IN CNAME
    kv801.prod.do.dsp.mp.microsoft.com.edgekey.net
    kv801.prod.do.dsp.mp.microsoft.com.edgekey.net
    IN CNAME
    e12437.g.akamaiedge.net
    e12437.g.akamaiedge.net
    IN A
    184.29.205.60
  • flag-nl
    GET
    https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1
    NetworkService
    Remote address:
    184.29.205.60:443
    Request
    GET /all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Microsoft-Delivery-Optimization/10.0
    MS-CV: dPWM5xm4ekSNTmjw.2.1.1
    Content-Length: 0
    Host: kv801.prod.do.dsp.mp.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/json
    Server: Microsoft-IIS/10.0
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 808
    Cache-Control: max-age=25
    Date: Sun, 13 Feb 2022 12:22:28 GMT
    Connection: keep-alive
  • flag-us
    DNS
    cp801.prod.do.dsp.mp.microsoft.com
    NetworkService
    Remote address:
    8.8.8.8:53
    Request
    cp801.prod.do.dsp.mp.microsoft.com
    IN A
    Response
    cp801.prod.do.dsp.mp.microsoft.com
    IN CNAME
    cp801.prod.do.dsp.mp.microsoft.com.edgekey.net
    cp801.prod.do.dsp.mp.microsoft.com.edgekey.net
    IN CNAME
    e12437.g.akamaiedge.net
    e12437.g.akamaiedge.net
    IN A
    184.29.205.60
  • flag-nl
    GET
    https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1
    NetworkService
    Remote address:
    184.29.205.60:443
    Request
    GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Microsoft-Delivery-Optimization/10.0
    MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.1.1.1
    Content-Length: 0
    Host: cp801.prod.do.dsp.mp.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/json
    Server: Microsoft-IIS/10.0
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 370
    Cache-Control: max-age=33044
    Date: Sun, 13 Feb 2022 12:22:40 GMT
    Connection: keep-alive
  • flag-nl
    GET
    https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1
    NetworkService
    Remote address:
    184.29.205.60:443
    Request
    GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Microsoft-Delivery-Optimization/10.0
    MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.2.1.1
    Content-Length: 0
    Host: cp801.prod.do.dsp.mp.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/json
    Server: Microsoft-IIS/10.0
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 370
    Cache-Control: max-age=33044
    Date: Sun, 13 Feb 2022 12:22:40 GMT
    Connection: keep-alive
  • flag-us
    DNS
    226.101.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.101.242.52.in-addr.arpa
    IN PTR
    Response
  • 104.80.224.57:443
    322 B
    7
  • 93.184.220.29:80
    260 B
    5
  • 93.184.220.29:80
    260 B
    5
  • 20.50.201.200:443
    40 B
    1
  • 93.184.220.29:80
    322 B
    7
  • 20.54.25.4:443
    geo.prod.do.dsp.mp.microsoft.com
    tls, https
    NetworkService
    1.2kB
    3.5kB
    12
    9
  • 184.29.205.60:443
    https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1
    tls, http
    NetworkService
    1.2kB
    7.8kB
    11
    13

    HTTP Request

    GET https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1

    HTTP Response

    200
  • 185.127.26.186:80
    b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe
    260 B
    5
  • 184.29.205.60:443
    https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1
    tls, http
    NetworkService
    1.4kB
    7.3kB
    11
    13

    HTTP Request

    GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

    HTTP Response

    200
  • 184.29.205.60:443
    https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1
    tls, http
    NetworkService
    1.4kB
    7.3kB
    11
    13

    HTTP Request

    GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

    HTTP Response

    200
  • 8.8.8.8:53
    geo.prod.do.dsp.mp.microsoft.com
    dns
    NetworkService
    78 B
    165 B
    1
    1

    DNS Request

    geo.prod.do.dsp.mp.microsoft.com

    DNS Response

    20.54.25.4

  • 8.8.8.8:53
    kv801.prod.do.dsp.mp.microsoft.com
    dns
    NetworkService
    80 B
    190 B
    1
    1

    DNS Request

    kv801.prod.do.dsp.mp.microsoft.com

    DNS Response

    184.29.205.60

  • 8.8.8.8:53
    cp801.prod.do.dsp.mp.microsoft.com
    dns
    NetworkService
    80 B
    190 B
    1
    1

    DNS Request

    cp801.prod.do.dsp.mp.microsoft.com

    DNS Response

    184.29.205.60

  • 8.8.8.8:53
    226.101.242.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    226.101.242.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.