Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 17:05
Static task
static1
Behavioral task
behavioral1
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
Satana/satana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Satana/unpacked.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
unpacked.exe
Resource
win10v2004-20240226-en
General
-
Target
Satana/unpacked.exe
-
Size
72KB
-
MD5
108756f41d114eb93e136ba2feb838d0
-
SHA1
8c6b51923ee7da2f4642c7717db95fbb77d96164
-
SHA256
b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
-
SHA512
d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa
-
SSDEEP
768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation unpacked.exe -
Deletes itself 1 IoCs
pid Process 5052 wnwzwyo.exe -
Executes dropped EXE 1 IoCs
pid Process 5052 wnwzwyo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" unpacked.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 wnwzwyo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 5052 wnwzwyo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2092 wrote to memory of 5052 2092 unpacked.exe 101 PID 2092 wrote to memory of 5052 2092 unpacked.exe 101 PID 2092 wrote to memory of 5052 2092 unpacked.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Satana\unpacked.exe"C:\Users\Admin\AppData\Local\Temp\Satana\unpacked.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\wnwzwyo.exe"C:\Users\Admin\AppData\Local\Temp\wnwzwyo.exe" {1b5ca475-d4f3-11ee-abdf-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\Satana\unpacked.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ecd2da437a732bb98cdb94c9557d34a3
SHA119850a5a2b589f7101034afd8765d0bdaa8b5bdf
SHA2561a80622a5f3b0e106093cfae90a513bb90438c89acec145eb38fbdfff9cc4242
SHA512b490f179b4b6ffe83f2231808a9dcd5e3080301c7df4c897cfc670168b140c4d012b366267a2ff7a901ad300257c6d1e17ccbe56b0636b1fc210b5af56f5e290
-
Filesize
72KB
MD5108756f41d114eb93e136ba2feb838d0
SHA18c6b51923ee7da2f4642c7717db95fbb77d96164
SHA256b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
SHA512d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa