satana | ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

General

Target

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
Size

34KB
MD5

d236fcc8789f94f085137058311e848b
SHA1

808061052c9efc7c7255ffeb92c77b02bbb8cfee
SHA256

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d
SHA512

730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Score

10^/10

satana bootkit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

buj.exe

pid process

464 buj.exe
Deletes itself 1 IoCs

Processes:

buj.exe

pid process

464 buj.exe

pid	process
464	buj.exe

pid	process
464	buj.exe

Loads dropped DLL 5 IoCs

Processes:

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exebuj.exe

pid	process
1628	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
1628	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
1628	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
1628	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
464	buj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\cocc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

buj.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 buj.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	buj.exe

Drops file in Program Files directory 64 IoCs

Processes:

buj.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	buj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	buj.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\!satana!.txt	buj.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\!satana!.txt	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif	buj.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\!satana!.txt	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	buj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	buj.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png	buj.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	buj.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\!satana!.txt	buj.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\!satana!.txt	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png	buj.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\!satana!.txt	buj.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\!satana!.txt	buj.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\!satana!.txt	buj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	buj.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\!satana!.txt	buj.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\!satana!.txt	buj.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\!satana!.txt	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif	buj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	buj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	buj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	buj.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\!satana!.txt	buj.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\!satana!.txt	buj.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\!satana!.txt	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	buj.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\!satana!.txt	buj.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\!satana!.txt	buj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml	buj.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\!satana!.txt	buj.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\!satana!.txt	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif	buj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	buj.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\!satana!.txt	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	buj.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\!satana!.txt	buj.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\!satana!.txt	buj.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\!satana!.txt	buj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp	buj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png	buj.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\!satana!.txt	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\[email protected]___bg_GreenTea.gif	buj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	buj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	buj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	buj.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\!satana!.txt	buj.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\!satana!.txt	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg	buj.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\!satana!.txt	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip	buj.exe
File created	C:\Program Files\Windows Media Player\de-DE\!satana!.txt	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml	buj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right_over.gif	buj.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\!satana!.txt	buj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml	buj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml	buj.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\!satana!.txt	buj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

VSSADMIN.EXE

pid process

836 VSSADMIN.EXE

pid	process
836	VSSADMIN.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

buj.exevssvc.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	464	buj.exe
Token: SeBackupPrivilege	1556	vssvc.exe
Token: SeRestorePrivilege	1556	vssvc.exe
Token: SeAuditPrivilege	1556	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exebuj.exe

description	pid	process	target process
PID 1628 wrote to memory of 464	1628	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe	buj.exe
PID 1628 wrote to memory of 464	1628	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe	buj.exe
PID 1628 wrote to memory of 464	1628	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe	buj.exe
PID 1628 wrote to memory of 464	1628	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe	buj.exe
PID 464 wrote to memory of 836	464	buj.exe	VSSADMIN.EXE
PID 464 wrote to memory of 836	464	buj.exe	VSSADMIN.EXE
PID 464 wrote to memory of 836	464	buj.exe	VSSADMIN.EXE
PID 464 wrote to memory of 836	464	buj.exe	VSSADMIN.EXE

C:\Users\Admin\AppData\Local\Temp\ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
"C:\Users\Admin\AppData\Local\Temp\ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\buj.exe
  "C:\Users\Admin\AppData\Local\Temp\buj.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\EE9377~1.EXE"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\VSSADMIN.EXE
    "C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

MD5
9c4bbcbddbb76e27f2a802b2781bc877

SHA1
b6da6284c1e5c47c7f7e5510f314a142cbfe4dc4

SHA256
3a9488c4673728924f52637cca68f200849478f9a210e9ef8a8fabeb0cdfa246

SHA512
b96a05740b4c965c46047bc1d1725746c065cf46fe284fc33e24bf6d2cfceb15452788e45b18064b9ae01c993bdede5cbabd96191470001860c2713cf54b58e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\buj.exe

MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit
C:\Users\Admin\AppData\Local\Temp\buj.exe

MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit
\Users\Admin\AppData\Local\Temp\buj.exe

MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit
\Users\Admin\AppData\Local\Temp\buj.exe

MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit
\Users\Admin\AppData\Local\Temp\buj.exe

MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit
\Users\Admin\AppData\Local\Temp\buj.exe

MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit
\Users\Admin\AppData\Local\Temp\buj.exe

MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit
memory/1628-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads