Analysis
-
max time kernel
152s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-02-2022 12:21
General
-
Target
b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe
-
Size
72KB
-
MD5
2c0d06420d5af53d3324717bc2e4f280
-
SHA1
f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
-
SHA256
b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
-
SHA512
7e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe"C:\Users\Admin\AppData\Local\Temp\b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tasbqbc.exe"C:\Users\Admin\AppData\Local\Temp\tasbqbc.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\B23FE1~1.EXE"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\VSSADMIN.EXE"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9c4bbcbddbb76e27f2a802b2781bc877
SHA1b6da6284c1e5c47c7f7e5510f314a142cbfe4dc4
SHA2563a9488c4673728924f52637cca68f200849478f9a210e9ef8a8fabeb0cdfa246
SHA512b96a05740b4c965c46047bc1d1725746c065cf46fe284fc33e24bf6d2cfceb15452788e45b18064b9ae01c993bdede5cbabd96191470001860c2713cf54b58e1
-
MD5
2c0d06420d5af53d3324717bc2e4f280
SHA1f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
SHA256b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
SHA5127e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583
-
MD5
2c0d06420d5af53d3324717bc2e4f280
SHA1f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
SHA256b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
SHA5127e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583
-
MD5
2c0d06420d5af53d3324717bc2e4f280
SHA1f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
SHA256b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
SHA5127e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583
-
MD5
2c0d06420d5af53d3324717bc2e4f280
SHA1f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
SHA256b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
SHA5127e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583
-
MD5
2c0d06420d5af53d3324717bc2e4f280
SHA1f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
SHA256b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
SHA5127e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583
-
MD5
2c0d06420d5af53d3324717bc2e4f280
SHA1f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
SHA256b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
SHA5127e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583
-
MD5
2c0d06420d5af53d3324717bc2e4f280
SHA1f0d10df44ee7ae8e2da6c02eb1fb9ed1517c26fa
SHA256b23fe1a321b8f7b9f0736574a98d115853c84ca6934752e4be13771eec4ac7b7
SHA5127e6c63d1bcba6e22a0f6a2539c25daf451c698fb2579747dd42b059e3780787582263b42ee57e1f8448764fb29b07173a5b8ec43c250fe2e725c6e44b1e3c583
-
Filesize
8KB