Analysis

  • max time kernel
    154s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    13-02-2022 12:20

General

  • Target

    b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe

  • Size

    73KB

  • MD5

    d4b7c1a8597b37290ce836cdebdd1b1f

  • SHA1

    621a3838729afc06e7f9d678e06f3a2ffb28cfdd

  • SHA256

    b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9

  • SHA512

    4273cb57fb01b841784a91fe03a050be59f62535e1f34df503f2f1677bce9677ae8367384882b9dabe06c992d1d953f005e70d0f0754533df15c8b70ae236f30

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 18B25953E328E11606833463C8A10A63 and pay on a Bitcoin Wallet: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 18B25953E328E11606833463C8A10A63 this is code; you must send BTC: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe
    "C:\Users\Admin\AppData\Local\Temp\b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\oyqqqdt.exe
      "C:\Users\Admin\AppData\Local\Temp\oyqqqdt.exe" {ea90e9d2-74a7-11ec-b993-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\B99319~1.EXE"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:4396
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2888
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!satana!.txt
    MD5

    27f69b0ff7bab6d9fa7d189bf642f093

    SHA1

    dbd6ccec5b01b5d9c8f61f08d7976d499d6cd1df

    SHA256

    3f5503afa2277edcfda2d4a27a7a5056cfa0ce9311034741b187967b61f0e2d6

    SHA512

    fc2d1ceef93e994c1381e2582bdb769f66af01734514318458f54891129b766c69358406f232cacf273cc08e0d17fb6b3bd0d11fc863ffb6213e0f0fc70d6a09

  • C:\Users\Admin\AppData\Local\Temp\oyqqqdt.exe
    MD5

    d4b7c1a8597b37290ce836cdebdd1b1f

    SHA1

    621a3838729afc06e7f9d678e06f3a2ffb28cfdd

    SHA256

    b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9

    SHA512

    4273cb57fb01b841784a91fe03a050be59f62535e1f34df503f2f1677bce9677ae8367384882b9dabe06c992d1d953f005e70d0f0754533df15c8b70ae236f30

  • C:\Users\Admin\AppData\Local\Temp\oyqqqdt.exe
    MD5

    d4b7c1a8597b37290ce836cdebdd1b1f

    SHA1

    621a3838729afc06e7f9d678e06f3a2ffb28cfdd

    SHA256

    b9931966abd62c3f06f9072af2b74900fffb0c5305ca58a486fb9291f3d1f9f9

    SHA512

    4273cb57fb01b841784a91fe03a050be59f62535e1f34df503f2f1677bce9677ae8367384882b9dabe06c992d1d953f005e70d0f0754533df15c8b70ae236f30

  • memory/2888-133-0x0000021405960000-0x0000021405970000-memory.dmp
    Filesize

    64KB

  • memory/2888-134-0x0000021405F20000-0x0000021405F30000-memory.dmp
    Filesize

    64KB

  • memory/2888-135-0x00000214085A0000-0x00000214085A4000-memory.dmp
    Filesize

    16KB