Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-02-2022 12:20
General
-
Target
ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe
-
Size
34KB
-
MD5
a5444dd6ee8773915096c31bd882e247
-
SHA1
88265756945984ebd5fe58827c39ca1f1a2bf487
-
SHA256
ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
-
SHA512
1d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe"C:\Users\Admin\AppData\Local\Temp\ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wyrmi.exe"C:\Users\Admin\AppData\Local\Temp\wyrmi.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\EA2C16~1.EXE"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\VSSADMIN.EXE"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\!satana!.txtMD5
d2606d6c2e0f1f53ab9e734727c9fe12
SHA1323141ea25c08a6d8b0042d9928c9493f16334f5
SHA2561ff1a93f0514de46a2692b4ce0482d9345e3a2cf4d947e87f49c6310c5b34fb0
SHA512613064942993f3cfaf5530d82f8e0f54675d4757471bb76a6e77e4886befb0035bcdc245606732dee1de04aa2fac1cc0f4fc6ca7c5c36085eca6d493153f49b0
-
C:\Users\Admin\AppData\Local\Temp\wyrmi.exeMD5
a5444dd6ee8773915096c31bd882e247
SHA188265756945984ebd5fe58827c39ca1f1a2bf487
SHA256ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
SHA5121d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247
-
C:\Users\Admin\AppData\Local\Temp\wyrmi.exeMD5
a5444dd6ee8773915096c31bd882e247
SHA188265756945984ebd5fe58827c39ca1f1a2bf487
SHA256ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
SHA5121d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247
-
\Users\Admin\AppData\Local\Temp\wyrmi.exeMD5
a5444dd6ee8773915096c31bd882e247
SHA188265756945984ebd5fe58827c39ca1f1a2bf487
SHA256ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
SHA5121d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247
-
\Users\Admin\AppData\Local\Temp\wyrmi.exeMD5
a5444dd6ee8773915096c31bd882e247
SHA188265756945984ebd5fe58827c39ca1f1a2bf487
SHA256ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
SHA5121d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247
-
\Users\Admin\AppData\Local\Temp\wyrmi.exeMD5
a5444dd6ee8773915096c31bd882e247
SHA188265756945984ebd5fe58827c39ca1f1a2bf487
SHA256ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
SHA5121d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247
-
\Users\Admin\AppData\Local\Temp\wyrmi.exeMD5
a5444dd6ee8773915096c31bd882e247
SHA188265756945984ebd5fe58827c39ca1f1a2bf487
SHA256ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
SHA5121d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247
-
\Users\Admin\AppData\Local\Temp\wyrmi.exeMD5
a5444dd6ee8773915096c31bd882e247
SHA188265756945984ebd5fe58827c39ca1f1a2bf487
SHA256ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
SHA5121d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247
-
memory/528-53-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB