Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

Documents/...er.exe

windows10-2004-x64

10

Documents/...ll.exe

windows10-2004-x64

3

Documents/...aw.exe

windows10-2004-x64

10

Documents/...ky.exe

windows10-2004-x64

10

Documents/...31.exe

windows10-2004-x64

1

Documents/...3 .exe

windows10-2004-x64

3

Documents/...d9.dll

windows10-2004-x64

10

027cc450ef...ju.dll

windows10-2004-x64

10

ee29b9c013...bc6.js

windows10-2004-x64

3

fe2e5d0543...L9.rtf

windows10-2004-x64

1

Documents/...uy.hta

windows10-2004-x64

10

Documents/...st.exe

windows10-2004-x64

7

Documents/...39.exe

windows10-2004-x64

6

Documents/...5c.exe

windows10-2004-x64

Documents/...00.exe

windows10-2004-x64

7

Supplement...16.scr

windows10-2004-x64

3

Documents/...ZSFwgb

windows10-2004-x64

1

Documents/...96.exe

windows10-2004-x64

5

Documents/...ed.exe

windows10-2004-x64

10

Documents/...70.exe

windows10-2004-x64

9

Documents/...67.exe

windows10-2004-x64

1

Documents/...56.exe

windows10-2004-x64

1

Documents/...ab.exe

windows10-2004-x64

8

Documents/...3a.exe

windows10-2004-x64

8

Documents/...73.exe

windows10-2004-x64

8

ed01ebfbc9...aa.exe

windows10-2004-x64

10

Documents/...aa.exe

windows10-2004-x64

10

Resubmissions

22/08/2024, 18:43 UTC

240822-xc563asamh 10

21/08/2024, 17:16 UTC

240821-vtjnaathnq 10

30/06/2024, 00:59 UTC

240630-bcjr6svbkk 10

20/06/2024, 02:02 UTC

240620-cf43ysxbnk 10

20/06/2024, 01:44 UTC

240620-b5v1xawemk 10

19/06/2024, 01:10 UTC

240619-bjmseavfmp 10

18/06/2024, 20:40 UTC

240618-zfwsxawdpa 10

18/06/2024, 13:45 UTC

240618-q2vcjawdle 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 01:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents/Ransomware.Satana/Ransomware.Satana/unpacked.exe

  • Size

    72KB

  • MD5

    108756f41d114eb93e136ba2feb838d0

  • SHA1

    8c6b51923ee7da2f4642c7717db95fbb77d96164

  • SHA256

    b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

  • SHA512

    d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

  • SSDEEP

    768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2

Score
10/10
satanabootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: lanachka888@mail.com your private code: 0520F875B250E63BDE30224DA2DD0CDB and pay on a Bitcoin Wallet: XtmxHRo8xkvaJ9FdNumLUARqsWvETHGCG5 total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: lanachka888@mail.com - this is our mail CODE: 0520F875B250E63BDE30224DA2DD0CDB this is code; you must send BTC: XtmxHRo8xkvaJ9FdNumLUARqsWvETHGCG5 here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>
Emails

lanachka888@mail.com

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

    ransomwaresatana
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Satana\Ransomware.Satana\unpacked.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Satana\Ransomware.Satana\unpacked.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\fzi.exe
      "C:\Users\Admin\AppData\Local\Temp\fzi.exe" {cf3aa7ba-0d68-11ef-a070-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\DOCUME~1\RANSOM~1.SAT\RANSOM~1.SAT\unpacked.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:1596

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.90.14.23.in-addr.arpa
    IN PTR
    Response
    97.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-97deploystaticakamaitechnologiescom
  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.127.26.186:80
    unpacked.exe
    260 B
     5
  • 185.127.26.186:80
    fzi.exe
    260 B
     5
  • 185.127.26.186:80
    fzi.exe
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    97.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    97.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!satana!.txt
    Filesize

    1KB

    MD5

    2ce0ee149b8f627a1805bed28920ed34

    SHA1

    432c84630fed3c3ab79ed353c386a4ce5f2f3240

    SHA256

    12fe92e3ec58f591c5a860ecebe6633e201187b0d796e2c88606655c4b9fa79e

    SHA512

    53f741ce16ce416e19472045574dcd24b964466458a439f4992bb991f15b2fe8d15b903aa769674dccce3e3e2eb49ef985994f42bf98cc459c3f58e90f11af15

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fzi.exe
    Filesize

    72KB

    MD5

    108756f41d114eb93e136ba2feb838d0

    SHA1

    8c6b51923ee7da2f4642c7717db95fbb77d96164

    SHA256

    b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

    SHA512

    d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.