Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
unpacked.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
unpacked.exe
Resource
win10v2004-20240426-en
General
-
Target
unpacked.exe
-
Size
72KB
-
MD5
108756f41d114eb93e136ba2feb838d0
-
SHA1
8c6b51923ee7da2f4642c7717db95fbb77d96164
-
SHA256
b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
-
SHA512
d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa
-
SSDEEP
768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation unpacked.exe -
Deletes itself 1 IoCs
pid Process 3284 wutd.exe -
Executes dropped EXE 1 IoCs
pid Process 3284 wutd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keypxmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" unpacked.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 wutd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3284 wutd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4044 wrote to memory of 3284 4044 unpacked.exe 93 PID 4044 wrote to memory of 3284 4044 unpacked.exe 93 PID 4044 wrote to memory of 3284 4044 unpacked.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\unpacked.exe"C:\Users\Admin\AppData\Local\Temp\unpacked.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\wutd.exe"C:\Users\Admin\AppData\Local\Temp\wutd.exe" {55bbc255-040c-11ef-a2bd-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\unpacked.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e8e60a2173878efc1bd3790704f714e9
SHA1dad8b75f0e5fa206d3280b6ff0f413ac0ef78f3f
SHA2561588b23c532a34c395e4600e987d77a537711cd9cbb03d008c40a3be96a1afbb
SHA512df678080a92603c7c74fcaff8a09610f6a87c976508fbba3fc5b3e4ce0bd20a78e3af63e1b8f58b6018c165a202eb18459f2f6cf7b24781be5d7fd6037f41490
-
Filesize
72KB
MD5108756f41d114eb93e136ba2feb838d0
SHA18c6b51923ee7da2f4642c7717db95fbb77d96164
SHA256b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
SHA512d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa