satana | 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

Analysis

max time kernel
218s
max time network
219s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 16:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Satana.exe
Size

49KB
MD5

46bfd4f1d581d7c0121d2b19a005d3df
SHA1

5b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512

b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
SSDEEP

768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj

Score

10^/10

satana bootkit defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XqW49FMuYkSVhSwjB6wvgHNnTDhTasLqtx total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XqW49FMuYkSVhSwjB6wvgHNnTDhTasLqtx here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Deletes itself 1 IoCs

Processes:

crop.exe

pid process

3048 crop.exe
Executes dropped EXE 2 IoCs

Processes:

crop.execrop.exe

pid process

2024 crop.exe
3048 crop.exe
Loads dropped DLL 6 IoCs

Processes:

Satana.execrop.execrop.exe

pid process

1636 Satana.exe
1636 Satana.exe
1636 Satana.exe
1636 Satana.exe
2024 crop.exe
3048 crop.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3048	crop.exe

pid	process
2024	crop.exe
3048	crop.exe

pid	process
1636	Satana.exe
1636	Satana.exe
1636	Satana.exe
1636	Satana.exe
2024	crop.exe
3048	crop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Satana.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcxjtil = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	Satana.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

crop.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 crop.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

Satana.execrop.exe

description pid process target process

PID 992 set thread context of 1636 992 Satana.exe Satana.exe
PID 2024 set thread context of 3048 2024 crop.exe crop.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	crop.exe

description	pid	process	target process
PID 992 set thread context of 1636	992	Satana.exe	Satana.exe
PID 2024 set thread context of 3048	2024	crop.exe	crop.exe

Drops file in Program Files directory 64 IoCs

Processes:

crop.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml	crop.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\!satana!.txt	crop.exe
File created	C:\Program Files\Java\jre7\lib\jfr\!satana!.txt	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png	crop.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\!satana!.txt	crop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	crop.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\!satana!.txt	crop.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\!satana!.txt	crop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml	crop.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	crop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png	crop.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\!satana!.txt	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml	crop.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\!satana!.txt	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	crop.exe
File created	C:\Program Files (x86)\Adobe\!satana!.txt	crop.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\!satana!.txt	crop.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	crop.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\!satana!.txt	crop.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\!satana!.txt	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png	crop.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\!satana!.txt	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\gadget.xml	crop.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\!satana!.txt	crop.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\!satana!.txt	crop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png	crop.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\!satana!.txt	crop.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\!satana!.txt	crop.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\!satana!.txt	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	crop.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\!satana!.txt	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	crop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png	crop.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\!satana!.txt	crop.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\!satana!.txt	crop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	crop.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\!satana!.txt	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	crop.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\!satana!.txt	crop.exe
File created	C:\Program Files\Windows Journal\fr-FR\!satana!.txt	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml	crop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	crop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png	crop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png	crop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png	crop.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\!satana!.txt	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png	crop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png	crop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

VSSADMIN.EXE

pid process

2548 VSSADMIN.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2252 chrome.exe
2252 chrome.exe

pid	process
2548	VSSADMIN.EXE

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

chrome.execrop.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeIncBasePriorityPrivilege	3048	crop.exe
Token: SeBackupPrivilege	1840	vssvc.exe
Token: SeRestorePrivilege	1840	vssvc.exe
Token: SeAuditPrivilege	1840	vssvc.exe
Token: SeShutdownPrivilege	3048	crop.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Satana.exechrome.exe

description	pid	process	target process
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 992 wrote to memory of 1636	992	Satana.exe	Satana.exe
PID 2252 wrote to memory of 1232	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1232	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1232	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2676	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2272	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2272	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 2272	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1920	2252	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Satana.exe
"C:\Users\Admin\AppData\Local\Temp\Satana.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\Satana.exe
"C:\Users\Admin\AppData\Local\Temp\Satana.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
PID:1636

C:\Users\Admin\AppData\Local\Temp\crop.exe
"C:\Users\Admin\AppData\Local\Temp\crop.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\Satana.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2024

C:\Users\Admin\AppData\Local\Temp\crop.exe
"C:\Users\Admin\AppData\Local\Temp\crop.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\Satana.exe"
4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\SysWOW64\VSSADMIN.EXE
"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:2548

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\!satana!.txt
5⤵
PID:12612

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
5⤵
PID:12796

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
5⤵
PID:12844

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
5⤵
PID:12916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ff9758,0x7fef6ff9768,0x7fef6ff9778
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:2
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:8
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:1
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:1
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1316 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:2
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3016 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:1
2⤵
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:8
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3232 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:8
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:8
2⤵
PID:336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 --field-trial-handle=1284,i,1588897818529885524,11974209861300703243,131072 /prefetch:8
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:12876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:13020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\88a633b8-c939-4365-a7bb-fb233769530c.tmp
Filesize
278KB

MD5
74dc203043074a24c5352462426f004a

SHA1
0fc0ea8b624cf019782e68478fbb62f2ae5c9d21

SHA256
8d3c9b616976557415da65c32e91a08f1ee77389b249d4d174e3636caa392839

SHA512
c4be35a5b1f659bf583cbdb616b333f1d884373ac4b6e49955c188b56500733643b0a25f51d0d9da2a76ebd71021de44f52676b4e0c013723dac9f7aab69074c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
52b1b43364e1efd6f1e6aafe2f1cd701

SHA1
c34a57bb5e67b59f883130231b2e1c20cf748b10

SHA256
a1fc92a81ddd65f55fc28c11028e603f0f26f09c15437d149d1bd4ad5b751975

SHA512
c73f0414a89c83a4f3c829d27c9b8ad6602efaa0ad8db2575a4414de28900908526e3423407d496c5d21557d665e162abb4294daede0867afd0c159fd13be96a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
7de8a4cc1f5819cb18061b899d94e1dc

SHA1
310116812c73fb7b256c1d0db89bc939f251efa2

SHA256
b35fb086f5c945c2899d6e0f3988e62aa9b57b43209cc110b1a95ea004e67d21

SHA512
3a30915233acca7b597c4d007d9b1406585128a9b927bd0015154acf8f0ec32ea8ee93d339aac4354d90a3942ee7006884c5131d14687efb71cee49aa5bb58cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
9ff6e7b913c054d4fd4b876121fb0dd1

SHA1
19ea55e3c35e42ab011092483efafab4166f10cb

SHA256
c4f350cec064a437db49ac8ad59b21173f8ddfb0650184bc35d3bedbb5103950

SHA512
0a0b005f257f1fad0ab1d083388e3a2796a4923038adbc567c183af50e0523806ec5feba92457f4decd142526a7376f196fc67da7cde3b612841745ab03ab0b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
Filesize
9B

MD5
bb0b83c1d1acf5b76ace46c848d95839

SHA1
c981f71d8446f728116775f533967110d7640e6a

SHA256
f323e43fe0edc5859b4de8eab6d0f6c79720959dffd71f165cceb8a0af307748

SHA512
d6edccc0c048ca7632ada4858049be888a8115795e95d616c321a14da7664429a4642375a23be345aa484418038ecd0c3ac15484b4fce77d227bc0b50786a2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Filesize
1KB

MD5
53e6f3872fa637c84a246cc9620fd9fb

SHA1
a9eb17a201955704834454b04db0145cd559335e

SHA256
2d6be56beb0154782ec83608ebd61e4db6f0386ffc0aa8d3321c0e1f6dae8540

SHA512
a7dff1afdd075cad8b461f7a7a940e016b08a0e6320b07518f66d11dde50404816811870d16ab56bb00afb3a06932feafd9b775c8edb624c39ca3fa101b1380e

Download Submit
C:\Users\Admin\AppData\Local\Temp\crop.exe
Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
\??\pipe\crashpad_2252_AYCTHGJQKBGVIBEW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1636-97-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-4-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-218-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-206-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-231-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-221-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-219-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-216-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-198-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads