Analysis
-
max time kernel
28s -
max time network
38s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-02-2024 14:39
Static task
static1
Behavioral task
behavioral1
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win10v2004-20231215-en
General
-
Target
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
-
Size
49KB
-
MD5
46bfd4f1d581d7c0121d2b19a005d3df
-
SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d
-
SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
-
SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
SSDEEP
768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 2852 yrut.exe -
Executes dropped EXE 2 IoCs
pid Process 2792 yrut.exe 2852 yrut.exe -
Loads dropped DLL 5 IoCs
pid Process 1816 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 1816 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 1816 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 1816 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 2792 yrut.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziucc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 yrut.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2180 set thread context of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2792 set thread context of 2852 2792 yrut.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2584 VSSADMIN.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2852 yrut.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 2180 wrote to memory of 1816 2180 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 28 PID 1816 wrote to memory of 2792 1816 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 29 PID 1816 wrote to memory of 2792 1816 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 29 PID 1816 wrote to memory of 2792 1816 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 29 PID 1816 wrote to memory of 2792 1816 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe 29 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30 PID 2792 wrote to memory of 2852 2792 yrut.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\yrut.exe"C:\Users\Admin\AppData\Local\Temp\yrut.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\yrut.exe"C:\Users\Admin\AppData\Local\Temp\yrut.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\683A09~1.EXE"4⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\SysWOW64\VSSADMIN.EXE"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2584
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5082c9961b65be72ab1f64fa7e4922f7b
SHA127783a50ddd31d2553420f59bbdcd41e33c34a80
SHA2568b15ffdaaf0c6803bf730e48616a3cc0f917c899e85fc306d55bdb0f512d9dd6
SHA512a7c18074ea5da0e0b462ea4167b6c768e9ee7bdac5ebbe23f65b3b34a3719145df82c84f1b335cb06c65160657e62f4ef78d7b21d1b93b5aaa6009cddca31f90
-
Filesize
49KB
MD546bfd4f1d581d7c0121d2b19a005d3df
SHA15b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5