Overview

overview

10

Static

static

fd8e0e1aca...2a.exe

windows7_x64

10

fd8e0e1aca...2a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a.exe

  • Size

    108KB

  • MD5

    53e1c922c52e8ad201949ca5c66609f6

  • SHA1

    6c40ef2be382a141ade53b1349605da91784888c

  • SHA256

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a

  • SHA512

    cc5e1a56f28713dde1282c0d5ad4e593f41203fdfb0fdaec7ef3b168eded599bd1dbf75f479733b8b3d8a3682e831c874d9a99ba5dcfb1b10dcff3bd94bce33c

Score
10/10
satanabootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XtmxHRo8xkvaJ9FdNumLUARqsWvETHGCG5 total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XtmxHRo8xkvaJ9FdNumLUARqsWvETHGCG5 here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

    ransomwaresatana
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a.exe
    "C:\Users\Admin\AppData\Local\Temp\fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Users\Admin\AppData\Local\Temp\irytt.exe
      "C:\Users\Admin\AppData\Local\Temp\irytt.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\FD8E0E~1.EXE"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\SysWOW64\VSSADMIN.EXE
        "C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!satana!.txt
    MD5

    9bed731dccf94eaaaa76830e98fdd0cb

    SHA1

    9d7bb24e9b4121a948dce0852a5f3667f3c5cd76

    SHA256

    036bed5f378db1ac2904237b6c2e7c1eab875ff7e8e6b10a66c9188d4f8fdc40

    SHA512

    e1506f8fe188b3d9c6a9731d11844b3c67cf6f2855c9bfd95d6424e2cc0db188d49d6c3d41dfe4c26d28c8fc869d0151a6bb9c66a4da0c7d0546fc0ad8da9fff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\irytt.exe
    MD5

    53e1c922c52e8ad201949ca5c66609f6

    SHA1

    6c40ef2be382a141ade53b1349605da91784888c

    SHA256

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a

    SHA512

    cc5e1a56f28713dde1282c0d5ad4e593f41203fdfb0fdaec7ef3b168eded599bd1dbf75f479733b8b3d8a3682e831c874d9a99ba5dcfb1b10dcff3bd94bce33c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\irytt.exe
    MD5

    53e1c922c52e8ad201949ca5c66609f6

    SHA1

    6c40ef2be382a141ade53b1349605da91784888c

    SHA256

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a

    SHA512

    cc5e1a56f28713dde1282c0d5ad4e593f41203fdfb0fdaec7ef3b168eded599bd1dbf75f479733b8b3d8a3682e831c874d9a99ba5dcfb1b10dcff3bd94bce33c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\irytt.exe
    MD5

    53e1c922c52e8ad201949ca5c66609f6

    SHA1

    6c40ef2be382a141ade53b1349605da91784888c

    SHA256

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a

    SHA512

    cc5e1a56f28713dde1282c0d5ad4e593f41203fdfb0fdaec7ef3b168eded599bd1dbf75f479733b8b3d8a3682e831c874d9a99ba5dcfb1b10dcff3bd94bce33c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\irytt.exe
    MD5

    53e1c922c52e8ad201949ca5c66609f6

    SHA1

    6c40ef2be382a141ade53b1349605da91784888c

    SHA256

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a

    SHA512

    cc5e1a56f28713dde1282c0d5ad4e593f41203fdfb0fdaec7ef3b168eded599bd1dbf75f479733b8b3d8a3682e831c874d9a99ba5dcfb1b10dcff3bd94bce33c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\irytt.exe
    MD5

    53e1c922c52e8ad201949ca5c66609f6

    SHA1

    6c40ef2be382a141ade53b1349605da91784888c

    SHA256

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a

    SHA512

    cc5e1a56f28713dde1282c0d5ad4e593f41203fdfb0fdaec7ef3b168eded599bd1dbf75f479733b8b3d8a3682e831c874d9a99ba5dcfb1b10dcff3bd94bce33c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\irytt.exe
    MD5

    53e1c922c52e8ad201949ca5c66609f6

    SHA1

    6c40ef2be382a141ade53b1349605da91784888c

    SHA256

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a

    SHA512

    cc5e1a56f28713dde1282c0d5ad4e593f41203fdfb0fdaec7ef3b168eded599bd1dbf75f479733b8b3d8a3682e831c874d9a99ba5dcfb1b10dcff3bd94bce33c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\irytt.exe
    MD5

    53e1c922c52e8ad201949ca5c66609f6

    SHA1

    6c40ef2be382a141ade53b1349605da91784888c

    SHA256

    fd8e0e1aca4af2dfdd7861f351150ff5ce81ea390aeec04ba3f13802a408302a

    SHA512

    cc5e1a56f28713dde1282c0d5ad4e593f41203fdfb0fdaec7ef3b168eded599bd1dbf75f479733b8b3d8a3682e831c874d9a99ba5dcfb1b10dcff3bd94bce33c

    Download Submit
  • memory/764-65-0x0000000073C71000-0x0000000073C73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1540-55-0x0000000075D61000-0x0000000075D63000-memory.dmp
    Filesize

    8KB

    Download