Analysis
-
max time kernel
25s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20231215-es -
resource tags
-
submitted
16-12-2023 18:47
General
-
Target
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
-
Size
49KB
-
MD5
46bfd4f1d581d7c0121d2b19a005d3df
-
SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d
-
SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
-
SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
SSDEEP
768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe"C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe"C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"4⤵
-
C:\Windows\SysWOW64\VSSADMIN.EXE"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\!satana!.txtFilesize
1KB
MD5b71b6af79019846d34214f364eb8ced2
SHA19461884badbf7a07867dea559cb2967514565ba0
SHA25606199fc48bb1560d90955f6b1c23ba827cea5f74db32eb568fa32de1fcec8ece
SHA5126d7f5c9032cdc0feeb0a07e2bbb7d3e63762d1723c309da9553521fff412d268c8a3ed15d06b4c8db1102354b5d83bda915585f50c9d38695f432bf9abb6e6c7
-
\Users\Admin\AppData\Local\Temp\gitxqipf.exeFilesize
49KB
MD546bfd4f1d581d7c0121d2b19a005d3df
SHA15b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
memory/2896-36-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2896-38-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2896-39-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3064-0-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3064-1-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3064-3-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3064-5-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3064-7-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3064-9-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB