Analysis

  • max time kernel
    25s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20231215-es
  • resource tags

    arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    16-12-2023 18:47

General

  • Target

    683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe

  • Size

    49KB

  • MD5

    46bfd4f1d581d7c0121d2b19a005d3df

  • SHA1

    5b063298bbd1670b4d39e1baef67f854b8dcba9d

  • SHA256

    683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

  • SHA512

    b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

  • SSDEEP

    768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XsHmuuiWcMgjitqGaxdaafnBGCnP13zcy6 total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XsHmuuiWcMgjitqGaxdaafnBGCnP13zcy6 here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
    "C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
      "C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe
        "C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2780
        • C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe
          "C:\Users\Admin\AppData\Local\Temp\gitxqipf.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"
          4⤵
            PID:2896
            • C:\Windows\SysWOW64\VSSADMIN.EXE
              "C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
              5⤵
              • Interacts with shadow copies
              PID:2592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\!satana!.txt

      Filesize

      1KB

      MD5

      b71b6af79019846d34214f364eb8ced2

      SHA1

      9461884badbf7a07867dea559cb2967514565ba0

      SHA256

      06199fc48bb1560d90955f6b1c23ba827cea5f74db32eb568fa32de1fcec8ece

      SHA512

      6d7f5c9032cdc0feeb0a07e2bbb7d3e63762d1723c309da9553521fff412d268c8a3ed15d06b4c8db1102354b5d83bda915585f50c9d38695f432bf9abb6e6c7

    • \Users\Admin\AppData\Local\Temp\gitxqipf.exe

      Filesize

      49KB

      MD5

      46bfd4f1d581d7c0121d2b19a005d3df

      SHA1

      5b063298bbd1670b4d39e1baef67f854b8dcba9d

      SHA256

      683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

      SHA512

      b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

    • memory/2896-36-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2896-38-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2896-39-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3064-0-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3064-1-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3064-3-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3064-5-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3064-7-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3064-9-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB