Overview

overview

10

Static

static

683a09da21...96.exe

windows7_x64

10

683a09da21...96.exe

windows10-2004_x64

10

unpacked.exe

windows7_x64

10

unpacked.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    81a735001b3902771af36e3cf3261d16aa9fc7410f80bbf7b36cdc22954aaf7e

  • Size

    121KB

  • Sample

    220213-pjl3rsbgbp

  • MD5

    f798a6823a9d4618e792f93f00cf1fdc

  • SHA1

    dcd48339ebb54eec1b34506a34fabfa200e0b8a9

  • SHA256

    81a735001b3902771af36e3cf3261d16aa9fc7410f80bbf7b36cdc22954aaf7e

  • SHA512

    5c1be984e70a114f79f3b9aaad895d1a07895643ea74fbbc02593e7208e94514ab45a19340e9547a2296bfbf8c8e3b7d7dabec67ae2f9984df6665f4cd92b0d1

Score
10/10
satanabootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: Xoq9wmiB1vbT7WAkGZWcgex544YGdC93Eb total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: Xoq9wmiB1vbT7WAkGZWcgex544YGdC93Eb here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XpVh1a3MqRPea2e1GJEvAYeVkpvF98sqhS total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XpVh1a3MqRPea2e1GJEvAYeVkpvF98sqhS here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 18B25953E328E11606833463C8A10A63 and pay on a Bitcoin Wallet: XbvKCGr8VowpBLwE8VxHNL2oL24ukKcNFw total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 18B25953E328E11606833463C8A10A63 this is code; you must send BTC: XbvKCGr8VowpBLwE8VxHNL2oL24ukKcNFw here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Targets

    • Target

      683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin

    • Size

      49KB

    • MD5

      46bfd4f1d581d7c0121d2b19a005d3df

    • SHA1

      5b063298bbd1670b4d39e1baef67f854b8dcba9d

    • SHA256

      683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

    • SHA512

      b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

    Score
    10/10
    satanabootkitpersistenceransomware

    • Satana

      Ransomware family which also encrypts the system's Master Boot Record (MBR).

      ransomwaresatana

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      unpacked.mem

    • Size

      72KB

    • MD5

      108756f41d114eb93e136ba2feb838d0

    • SHA1

      8c6b51923ee7da2f4642c7717db95fbb77d96164

    • SHA256

      b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

    • SHA512

      d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

    Score
    10/10
    satanabootkitpersistenceransomware

    • Satana

      Ransomware family which also encrypts the system's Master Boot Record (MBR).

      ransomwaresatana

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks