General
-
Target
4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f
-
Size
57KB
-
Sample
240514-y8jhlseh4z
-
MD5
82f621944ee2639817400befabedffcf
-
SHA1
c183ae5ab43b9b3d3fabdb29859876c507a8d273
-
SHA256
4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f
-
SHA512
7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b
-
SSDEEP
1536:GBfLHxIOBET2Uvk6w5yD5O92x2HtYli0kR5sJ7LNeeSLK/TJ:GBf9IOXok6DODtY40kDsjiL6F
Static task
static1
Behavioral task
behavioral1
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
unpacked.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
unpacked.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Extracted
C:\MSOCache\!satana!.txt
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Targets
-
-
Target
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
-
Size
49KB
-
MD5
46bfd4f1d581d7c0121d2b19a005d3df
-
SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d
-
SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
-
SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
SSDEEP
768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
-
-
Target
unpacked.mem
-
Size
72KB
-
MD5
108756f41d114eb93e136ba2feb838d0
-
SHA1
8c6b51923ee7da2f4642c7717db95fbb77d96164
-
SHA256
b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
-
SHA512
d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa
-
SSDEEP
768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1