Analysis
-
max time kernel
25s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20231215-es -
resource tags
arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows -
submitted
16-12-2023 18:47
Static task
static1
Behavioral task
behavioral1
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win7-20231215-es
Behavioral task
behavioral2
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win10v2004-20231215-es
General
-
Target
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
-
Size
49KB
-
MD5
46bfd4f1d581d7c0121d2b19a005d3df
-
SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d
-
SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
-
SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
SSDEEP
768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 2780 gitxqipf.exe -
Loads dropped DLL 5 IoCs
pid Process 3064 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 3064 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 3064 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 3064 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 2780 gitxqipf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\dorwdouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1312 set thread context of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2592 VSSADMIN.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1312 wrote to memory of 3064 1312 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 3064 wrote to memory of 2780 3064 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 29 PID 3064 wrote to memory of 2780 3064 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 29 PID 3064 wrote to memory of 2780 3064 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 29 PID 3064 wrote to memory of 2780 3064 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe"C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe"C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"4⤵PID:2896
-
C:\Windows\SysWOW64\VSSADMIN.EXE"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2592
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b71b6af79019846d34214f364eb8ced2
SHA19461884badbf7a07867dea559cb2967514565ba0
SHA25606199fc48bb1560d90955f6b1c23ba827cea5f74db32eb568fa32de1fcec8ece
SHA5126d7f5c9032cdc0feeb0a07e2bbb7d3e63762d1723c309da9553521fff412d268c8a3ed15d06b4c8db1102354b5d83bda915585f50c9d38695f432bf9abb6e6c7
-
Filesize
49KB
MD546bfd4f1d581d7c0121d2b19a005d3df
SHA15b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5