satana | 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

General

Target

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Size

49KB
MD5

46bfd4f1d581d7c0121d2b19a005d3df
SHA1

5b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512

b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
SSDEEP

768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj

Score

10^/10

satana bootkit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XckRGrfki7heuskuFavvh14wmRiaAucrPn total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XckRGrfki7heuskuFavvh14wmRiaAucrPn here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

yrut.exe

pid process

2852 yrut.exe
Executes dropped EXE 2 IoCs

Processes:

yrut.exeyrut.exe

pid process

2792 yrut.exe
2852 yrut.exe

pid	process
2852	yrut.exe

pid	process
2792	yrut.exe
2852	yrut.exe

Loads dropped DLL 5 IoCs

Processes:

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exeyrut.exe

pid	process
1816	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
1816	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
1816	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
1816	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
2792	yrut.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziucc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

yrut.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 yrut.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	yrut.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exeyrut.exe

description	pid	process	target process
PID 2180 set thread context of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2792 set thread context of 2852	2792	yrut.exe	yrut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

VSSADMIN.EXE

pid process

2584 VSSADMIN.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

yrut.exe

description pid process

Token: SeIncBasePriorityPrivilege 2852 yrut.exe

pid	process
2584	VSSADMIN.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2852	yrut.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exeyrut.exe

description	pid	process	target process
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 2180 wrote to memory of 1816	2180	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
PID 1816 wrote to memory of 2792	1816	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	yrut.exe
PID 1816 wrote to memory of 2792	1816	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	yrut.exe
PID 1816 wrote to memory of 2792	1816	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	yrut.exe
PID 1816 wrote to memory of 2792	1816	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe
PID 2792 wrote to memory of 2852	2792	yrut.exe	yrut.exe

C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\yrut.exe
"C:\Users\Admin\AppData\Local\Temp\yrut.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\yrut.exe
"C:\Users\Admin\AppData\Local\Temp\yrut.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"
4⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\VSSADMIN.EXE
"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Filesize
1KB

MD5
082c9961b65be72ab1f64fa7e4922f7b

SHA1
27783a50ddd31d2553420f59bbdcd41e33c34a80

SHA256
8b15ffdaaf0c6803bf730e48616a3cc0f917c899e85fc306d55bdb0f512d9dd6

SHA512
a7c18074ea5da0e0b462ea4167b6c768e9ee7bdac5ebbe23f65b3b34a3719145df82c84f1b335cb06c65160657e62f4ef78d7b21d1b93b5aaa6009cddca31f90

Download Submit
\Users\Admin\AppData\Local\Temp\yrut.exe
Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
memory/1816-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-3-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2852-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2852-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2852-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2852-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads