Overview

overview

10

Static

static

3

683a09da21...96.exe

windows10-2004-x64

5

Satana/satana.exe

windows10-2004-x64

5

Satana/unpacked.exe

windows10-2004-x64

10

unpacked.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    unpacked.exe

  • Size

    72KB

  • MD5

    108756f41d114eb93e136ba2feb838d0

  • SHA1

    8c6b51923ee7da2f4642c7717db95fbb77d96164

  • SHA256

    b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

  • SHA512

    d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

  • SSDEEP

    768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2

Score
10/10
satanabootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 5CC4F4EFAF4E87406CDEE64B79962551 and pay on a Bitcoin Wallet: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 5CC4F4EFAF4E87406CDEE64B79962551 this is code; you must send BTC: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

    ransomwaresatana
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\unpacked.exe
    "C:\Users\Admin\AppData\Local\Temp\unpacked.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Users\Admin\AppData\Local\Temp\liotip.exe
      "C:\Users\Admin\AppData\Local\Temp\liotip.exe" {9c085fc0-d4f3-11ee-b9e5-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\unpacked.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:4504
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1352 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\!satana!.txt
      Filesize

      1KB

      MD5

      d9774310eac03fb7501722f6c9312e46

      SHA1

      75d0dc63eaae23751c819d9fc4f76227361117a6

      SHA256

      3a02a0f131909257b2cd1dc8a6080152853a2da824b757f537abaa3208bde18d

      SHA512

      46c89a9511a66a36e08880febfa6c2a99f930d8feee600f102efea9be4d27600677aaa736db3a7d77ee0ce74115a5dc0f8aa2260c01bbbab5acf05ecc07bee6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\liotip.exe
      Filesize

      72KB

      MD5

      108756f41d114eb93e136ba2feb838d0

      SHA1

      8c6b51923ee7da2f4642c7717db95fbb77d96164

      SHA256

      b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

      SHA512

      d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

      Download Submit