Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
unpacked.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
unpacked.exe
Resource
win10v2004-20240508-en
General
-
Target
unpacked.exe
-
Size
72KB
-
MD5
108756f41d114eb93e136ba2feb838d0
-
SHA1
8c6b51923ee7da2f4642c7717db95fbb77d96164
-
SHA256
b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
-
SHA512
d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa
-
SSDEEP
768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
unpacked.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation unpacked.exe -
Deletes itself 1 IoCs
Processes:
ewpt.exepid process 1916 ewpt.exe -
Executes dropped EXE 1 IoCs
Processes:
ewpt.exepid process 1916 ewpt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
unpacked.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebigg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" unpacked.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ewpt.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ewpt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ewpt.exedescription pid process Token: SeIncBasePriorityPrivilege 1916 ewpt.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
unpacked.exedescription pid process target process PID 3764 wrote to memory of 1916 3764 unpacked.exe ewpt.exe PID 3764 wrote to memory of 1916 3764 unpacked.exe ewpt.exe PID 3764 wrote to memory of 1916 3764 unpacked.exe ewpt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\unpacked.exe"C:\Users\Admin\AppData\Local\Temp\unpacked.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\ewpt.exe"C:\Users\Admin\AppData\Local\Temp\ewpt.exe" {b507c657-0d76-11ef-9505-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\unpacked.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57b698c46a42304e21979a850ae6b4fe7
SHA148ad79501110a2493c9bd81877fe22d890ada2a7
SHA25656b72cd91d9bf5e808f077848b5f75393443545807202077f9d063612c1c8dbc
SHA51235dc74fb897c1b2c3946e12413a21c5feefa48d417c5b409d001378c9666ff87a0ce97182a8f66e2e31d8f3357f1de60481d07c39bb9f3a4df7fcf7bdccedaf5
-
Filesize
72KB
MD5108756f41d114eb93e136ba2feb838d0
SHA18c6b51923ee7da2f4642c7717db95fbb77d96164
SHA256b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
SHA512d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa