Overview

overview

10

Static

static

3

Satana.exe

windows7-x64

10

Resubmissions

11-01-2024 16:01

240111-tgd2laahcq 10

11-01-2024 13:57

240111-q9c38ahbcn 10

30-12-2023 02:18

231230-crebnsadgm 9

Analysis

  • max time kernel
    27s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Satana.exe

  • Size

    49KB

  • MD5

    46bfd4f1d581d7c0121d2b19a005d3df

  • SHA1

    5b063298bbd1670b4d39e1baef67f854b8dcba9d

  • SHA256

    683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

  • SHA512

    b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

  • SSDEEP

    768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj

Score
10/10
satanabootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XpVh1a3MqRPea2e1GJEvAYeVkpvF98sqhS total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XpVh1a3MqRPea2e1GJEvAYeVkpvF98sqhS here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

    ransomwaresatana
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Satana.exe
    "C:\Users\Admin\AppData\Local\Temp\Satana.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Users\Admin\AppData\Local\Temp\Satana.exe
      "C:\Users\Admin\AppData\Local\Temp\Satana.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Users\Admin\AppData\Local\Temp\fnug.exe
        "C:\Users\Admin\AppData\Local\Temp\fnug.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\Satana.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Users\Admin\AppData\Local\Temp\fnug.exe
          "C:\Users\Admin\AppData\Local\Temp\fnug.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\Satana.exe"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of AdjustPrivilegeToken
          PID:2212
          • C:\Windows\SysWOW64\VSSADMIN.EXE
            "C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:2296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!satana!.txt
    Filesize

    1KB

    MD5

    4e444ad021ad48fd0cd35f75c0879102

    SHA1

    eb76854620f07fed0ed40b4cc788e09b6df2867a

    SHA256

    0956cbba6e944fd76a98fc03c69a1e4d819723e5e60dd87e550f5d4b11223af3

    SHA512

    69147e34e5e230b86b38cec25176beb31c4fa4ca2ab47bc19d6312568ef79644bf131071bd1a0cee5357654ef69101efd8ee232d487b889d094c7e693065c20c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\fnug.exe
    Filesize

    49KB

    MD5

    46bfd4f1d581d7c0121d2b19a005d3df

    SHA1

    5b063298bbd1670b4d39e1baef67f854b8dcba9d

    SHA256

    683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

    SHA512

    b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

    Download Submit
  • memory/2140-5-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2140-0-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2140-7-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2140-10-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2140-3-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2140-1-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2212-36-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2212-38-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2212-39-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2212-43-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2212-41-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download