Overview

overview

10

Static

static

1523827831...28.exe

windows7_x64

10

1523827831...28.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1523827831f7a0fec23a3bca905447c90402b5eef6b85e50f0abd1d7ee663f28

  • Size

    61KB

  • Sample

    220213-pj4b2sbgcl

  • MD5

    573b0cca8c051da66ea3b952b8cead10

  • SHA1

    df64d3fb9788a4b36e0647c7c050dec51942d122

  • SHA256

    1523827831f7a0fec23a3bca905447c90402b5eef6b85e50f0abd1d7ee663f28

  • SHA512

    fce69862671fd31adc80426c996040a5db02c831c18f10233704270375c37e6e21896a103916fbda6d337a3614612dc9c444957764d07eecc750fcf184d0283a

Score
10/10
satanaevasionpersistenceransomwaresuricata

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: Xmw3ufNfX5zWkspZAmCWgcF1epMahhZWTR total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: Xmw3ufNfX5zWkspZAmCWgcF1epMahhZWTR here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 2811CAB3DC2A63CEB89AED116AECF3F1 and pay on a Bitcoin Wallet: XtumpYQZE3THSx5fG3P9uFTocAbU6DCdwQ total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 2811CAB3DC2A63CEB89AED116AECF3F1 this is code; you must send BTC: XtumpYQZE3THSx5fG3P9uFTocAbU6DCdwQ here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Targets

    • Target

      1523827831f7a0fec23a3bca905447c90402b5eef6b85e50f0abd1d7ee663f28

    • Size

      61KB

    • MD5

      573b0cca8c051da66ea3b952b8cead10

    • SHA1

      df64d3fb9788a4b36e0647c7c050dec51942d122

    • SHA256

      1523827831f7a0fec23a3bca905447c90402b5eef6b85e50f0abd1d7ee663f28

    • SHA512

      fce69862671fd31adc80426c996040a5db02c831c18f10233704270375c37e6e21896a103916fbda6d337a3614612dc9c444957764d07eecc750fcf184d0283a

    Score
    10/10
    satanapersistenceransomwareevasionsuricata

    • Modifies firewall policy service

      evasion

    • Satana

      Ransomware family which also encrypts the system's Master Boot Record (MBR).

      ransomwaresatana

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup

      suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup

      suricata

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks