Resubmissions
11-01-2024 16:01
240111-tgd2laahcq 1011-01-2024 13:57
240111-q9c38ahbcn 1030-12-2023 02:18
231230-crebnsadgm 9Analysis
-
max time kernel
27s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11-01-2024 16:01
Static task
static1
Behavioral task
behavioral1
Sample
Satana.exe
Resource
win7-20231215-en
General
-
Target
Satana.exe
-
Size
49KB
-
MD5
46bfd4f1d581d7c0121d2b19a005d3df
-
SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d
-
SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
-
SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
SSDEEP
768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 2212 fnug.exe -
Executes dropped EXE 2 IoCs
pid Process 2120 fnug.exe 2212 fnug.exe -
Loads dropped DLL 5 IoCs
pid Process 2140 Satana.exe 2140 Satana.exe 2140 Satana.exe 2140 Satana.exe 2120 fnug.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\pfxfyjyk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" Satana.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 fnug.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2640 set thread context of 2140 2640 Satana.exe 28 PID 2120 set thread context of 2212 2120 fnug.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2296 VSSADMIN.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2212 fnug.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2640 wrote to memory of 2140 2640 Satana.exe 28 PID 2140 wrote to memory of 2120 2140 Satana.exe 31 PID 2140 wrote to memory of 2120 2140 Satana.exe 31 PID 2140 wrote to memory of 2120 2140 Satana.exe 31 PID 2140 wrote to memory of 2120 2140 Satana.exe 31 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32 PID 2120 wrote to memory of 2212 2120 fnug.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Satana.exe"C:\Users\Admin\AppData\Local\Temp\Satana.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\Satana.exe"C:\Users\Admin\AppData\Local\Temp\Satana.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\fnug.exe"C:\Users\Admin\AppData\Local\Temp\fnug.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\Satana.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\fnug.exe"C:\Users\Admin\AppData\Local\Temp\fnug.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\Satana.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\SysWOW64\VSSADMIN.EXE"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2296
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54e444ad021ad48fd0cd35f75c0879102
SHA1eb76854620f07fed0ed40b4cc788e09b6df2867a
SHA2560956cbba6e944fd76a98fc03c69a1e4d819723e5e60dd87e550f5d4b11223af3
SHA51269147e34e5e230b86b38cec25176beb31c4fa4ca2ab47bc19d6312568ef79644bf131071bd1a0cee5357654ef69101efd8ee232d487b889d094c7e693065c20c
-
Filesize
49KB
MD546bfd4f1d581d7c0121d2b19a005d3df
SHA15b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5