Analysis
-
max time kernel
156s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-02-2022 12:21
General
-
Target
7a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5.exe
-
Size
72KB
-
MD5
fb6f23927a2170bba9af65ca88d7664a
-
SHA1
37612c59c31dca457e54f5ebba1c4939f6505d63
-
SHA256
7a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5
-
SHA512
3df1c1ade15acf27426221ea9459e1b4913f4cd3ead29c0b0c59618a3dbf03a92ecd764b990cf7c6f98b5aa93f9651ea77725e37b28144ef4945ed22d8012b48
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5.exe"C:\Users\Admin\AppData\Local\Temp\7a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vmxx.exe"C:\Users\Admin\AppData\Local\Temp\vmxx.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\7A2E49~1.EXE"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\VSSADMIN.EXE"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cbdfae2e2620b9e56d869e484fcfdac3
SHA1719c2e760f4453c323ac06635844823b966fbbb3
SHA25661139bf5ee5be48f83bef4d9e9ff3a31355e48b2c890ce8fd2b3ec63a51f7018
SHA5123a3bcf4d137cbc549a48ac08648c672ee0d780f4e57cbf6348a5c11dc9c84823fcb134646306c66aac007bb56577e223e2681701f55c779858f7ee633e9e0a4d
-
MD5
fb6f23927a2170bba9af65ca88d7664a
SHA137612c59c31dca457e54f5ebba1c4939f6505d63
SHA2567a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5
SHA5123df1c1ade15acf27426221ea9459e1b4913f4cd3ead29c0b0c59618a3dbf03a92ecd764b990cf7c6f98b5aa93f9651ea77725e37b28144ef4945ed22d8012b48
-
MD5
fb6f23927a2170bba9af65ca88d7664a
SHA137612c59c31dca457e54f5ebba1c4939f6505d63
SHA2567a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5
SHA5123df1c1ade15acf27426221ea9459e1b4913f4cd3ead29c0b0c59618a3dbf03a92ecd764b990cf7c6f98b5aa93f9651ea77725e37b28144ef4945ed22d8012b48
-
MD5
fb6f23927a2170bba9af65ca88d7664a
SHA137612c59c31dca457e54f5ebba1c4939f6505d63
SHA2567a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5
SHA5123df1c1ade15acf27426221ea9459e1b4913f4cd3ead29c0b0c59618a3dbf03a92ecd764b990cf7c6f98b5aa93f9651ea77725e37b28144ef4945ed22d8012b48
-
MD5
fb6f23927a2170bba9af65ca88d7664a
SHA137612c59c31dca457e54f5ebba1c4939f6505d63
SHA2567a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5
SHA5123df1c1ade15acf27426221ea9459e1b4913f4cd3ead29c0b0c59618a3dbf03a92ecd764b990cf7c6f98b5aa93f9651ea77725e37b28144ef4945ed22d8012b48
-
MD5
fb6f23927a2170bba9af65ca88d7664a
SHA137612c59c31dca457e54f5ebba1c4939f6505d63
SHA2567a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5
SHA5123df1c1ade15acf27426221ea9459e1b4913f4cd3ead29c0b0c59618a3dbf03a92ecd764b990cf7c6f98b5aa93f9651ea77725e37b28144ef4945ed22d8012b48
-
MD5
fb6f23927a2170bba9af65ca88d7664a
SHA137612c59c31dca457e54f5ebba1c4939f6505d63
SHA2567a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5
SHA5123df1c1ade15acf27426221ea9459e1b4913f4cd3ead29c0b0c59618a3dbf03a92ecd764b990cf7c6f98b5aa93f9651ea77725e37b28144ef4945ed22d8012b48
-
MD5
fb6f23927a2170bba9af65ca88d7664a
SHA137612c59c31dca457e54f5ebba1c4939f6505d63
SHA2567a2e499274f7d6140dd2679fc8cea05afb434f6721f952a9ff87293938a936b5
SHA5123df1c1ade15acf27426221ea9459e1b4913f4cd3ead29c0b0c59618a3dbf03a92ecd764b990cf7c6f98b5aa93f9651ea77725e37b28144ef4945ed22d8012b48
-
Filesize
8KB