fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
13-02-2022 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b.exe
Size

330KB
MD5

fd53797716c706419a3d1bf347acbf8a
SHA1

3388dac6ab1e07733c007f06d53dbe6a0fbab429
SHA256

fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b
SHA512

e12965fd52cbd450993192ab91aa16cdd263b3c35e3eeda72a29f0e49f12abdaf866e4e4229a13e9a0239365773f487943b19ca4cc81507a5499ae3186e15c5b

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1896 created 3940	1896	WerFault.exe	86

Executes dropped EXE 2 IoCs

pid	Process
3408	Satana.exe
3940	Satana.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 3940	3408	Satana.exe	86

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3468	3940	WerFault.exe	86

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3468	WerFault.exe
3468	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3468	WerFault.exe
Token: SeBackupPrivilege	3468	WerFault.exe
Token: SeShutdownPrivilege	4156	svchost.exe
Token: SeCreatePagefilePrivilege	4156	svchost.exe
Token: SeShutdownPrivilege	4156	svchost.exe
Token: SeCreatePagefilePrivilege	4156	svchost.exe
Token: SeShutdownPrivilege	4156	svchost.exe
Token: SeCreatePagefilePrivilege	4156	svchost.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe
Token: SeSecurityPrivilege	3720	TiWorker.exe
Token: SeBackupPrivilege	3720	TiWorker.exe
Token: SeRestorePrivilege	3720	TiWorker.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 3408	3832	fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b.exe	82
PID 3832 wrote to memory of 3408	3832	fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b.exe	82
PID 3832 wrote to memory of 3408	3832	fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b.exe	82
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 3408 wrote to memory of 3940	3408	Satana.exe	86
PID 1896 wrote to memory of 3940	1896	WerFault.exe	86
PID 1896 wrote to memory of 3940	1896	WerFault.exe	86

C:\Users\Admin\AppData\Local\Temp\fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b.exe
"C:\Users\Admin\AppData\Local\Temp\fed4ba7531b2b794f037798cc87edac46c3b98b166e2e8822bce204301d7066b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\Satana\Satana.exe
  "C:\Users\Admin\AppData\Local\Temp\Satana\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\Satana\Satana.exe
    "C:\Users\Admin\AppData\Local\Temp\Satana\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:3940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 340
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3940 -ip 3940
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3940-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4156-137-0x0000028087D80000-0x0000028087D90000-memory.dmp

Filesize
64KB

Download
memory/4156-138-0x0000028088560000-0x0000028088570000-memory.dmp

Filesize
64KB

Download
memory/4156-139-0x000002808B4B0000-0x000002808B4B4000-memory.dmp

Filesize
16KB

Download