Overview

overview

10

Static

static

ea2c169529...72.exe

windows7_x64

10

ea2c169529...72.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72

  • Size

    34KB

  • Sample

    220213-phtq8ahgd2

  • MD5

    a5444dd6ee8773915096c31bd882e247

  • SHA1

    88265756945984ebd5fe58827c39ca1f1a2bf487

  • SHA256

    ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72

  • SHA512

    1d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247

Score
10/10
satanabootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 2811CAB3DC2A63CEB89AED116AECF3F1 and pay on a Bitcoin Wallet: XbvKCGr8VowpBLwE8VxHNL2oL24ukKcNFw total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 2811CAB3DC2A63CEB89AED116AECF3F1 this is code; you must send BTC: XbvKCGr8VowpBLwE8VxHNL2oL24ukKcNFw here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Targets

    • Target

      ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72

    • Size

      34KB

    • MD5

      a5444dd6ee8773915096c31bd882e247

    • SHA1

      88265756945984ebd5fe58827c39ca1f1a2bf487

    • SHA256

      ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72

    • SHA512

      1d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247

    Score
    10/10
    satanabootkitpersistenceransomware

    • Satana

      Ransomware family which also encrypts the system's Master Boot Record (MBR).

      ransomwaresatana

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks