Overview

overview

10

Static

static

021e24623d...d3.exe

windows7_x64

10

021e24623d...d3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    13-02-2022 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    021e24623d999c5bd993873735d8c62202b6591199200d680ff94ca1cf2f58d3.exe

  • Size

    19KB

  • MD5

    b7bbcacddaf239ec748b21ac54007c0e

  • SHA1

    d6b9b0edbe1b2bfde48a9d91bfebec1035e2d821

  • SHA256

    021e24623d999c5bd993873735d8c62202b6591199200d680ff94ca1cf2f58d3

  • SHA512

    8c46cdb5c8e25c965a64c5d704dfb5da6e5b8cab390b74b413353c03f6ec121d7aaad2c43fc222eefbf8e5a0057f35dc2e4fcb632ee3584f9d2311cc9aa20f7d

Score
10/10
satanabootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 18B25953E328E11606833463C8A10A63 and pay on a Bitcoin Wallet: XtumpYQZE3THSx5fG3P9uFTocAbU6DCdwQ total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 18B25953E328E11606833463C8A10A63 this is code; you must send BTC: XtumpYQZE3THSx5fG3P9uFTocAbU6DCdwQ here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

    ransomwaresatana
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\021e24623d999c5bd993873735d8c62202b6591199200d680ff94ca1cf2f58d3.exe
    "C:\Users\Admin\AppData\Local\Temp\021e24623d999c5bd993873735d8c62202b6591199200d680ff94ca1cf2f58d3.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Users\Admin\AppData\Local\Temp\wjotnzo.exe
      "C:\Users\Admin\AppData\Local\Temp\wjotnzo.exe" {ea90e9d2-74a7-11ec-b993-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\021E24~1.EXE"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3240
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!satana!.txt
    MD5

    3a4f3be9e5eb9b08f5d1d7f2f9070725

    SHA1

    f9e56ee0b337fb109f29a3cdb1b77eafa4700c02

    SHA256

    fd865b1a18b6324502860edf84e9e76a960e70a724a373cb4803951f6338ae7f

    SHA512

    a9e7dd72b03a36e1eab2e053f3b5076ae5d8b4c033069b58e9fd1d3047209c609f5e5d9493dfe6d3b4716d157a0e6eb903d01e93e460a6654a62df76d602e592

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wjotnzo.exe
    MD5

    b7bbcacddaf239ec748b21ac54007c0e

    SHA1

    d6b9b0edbe1b2bfde48a9d91bfebec1035e2d821

    SHA256

    021e24623d999c5bd993873735d8c62202b6591199200d680ff94ca1cf2f58d3

    SHA512

    8c46cdb5c8e25c965a64c5d704dfb5da6e5b8cab390b74b413353c03f6ec121d7aaad2c43fc222eefbf8e5a0057f35dc2e4fcb632ee3584f9d2311cc9aa20f7d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wjotnzo.exe
    MD5

    b7bbcacddaf239ec748b21ac54007c0e

    SHA1

    d6b9b0edbe1b2bfde48a9d91bfebec1035e2d821

    SHA256

    021e24623d999c5bd993873735d8c62202b6591199200d680ff94ca1cf2f58d3

    SHA512

    8c46cdb5c8e25c965a64c5d704dfb5da6e5b8cab390b74b413353c03f6ec121d7aaad2c43fc222eefbf8e5a0057f35dc2e4fcb632ee3584f9d2311cc9aa20f7d

    Download Submit

  • memory/3240-133-0x000001D0AD990000-0x000001D0AD9A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-134-0x000001D0AE160000-0x000001D0AE170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-135-0x000001D0B0D70000-0x000001D0B0D74000-memory.dmp

    Filesize

    16KB

    Download