Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

240821-vtjnaathnq 10

30-06-2024 00:59

240630-bcjr6svbkk 10

20-06-2024 02:02

240620-cf43ysxbnk 10

20-06-2024 01:44

240620-b5v1xawemk 10

19-06-2024 01:10

240619-bjmseavfmp 10

18-06-2024 20:40

240618-zfwsxawdpa 10

18-06-2024 13:45

240618-q2vcjawdle 10

Analysis

  • max time kernel
    75s
  • max time network
    76s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 20:40

Errors

Reason
Machine shutdown

General

  • Target

    Documents/Ransomware.Satana/Ransomware.Satana/unpacked.exe

  • Size

    72KB

  • MD5

    108756f41d114eb93e136ba2feb838d0

  • SHA1

    8c6b51923ee7da2f4642c7717db95fbb77d96164

  • SHA256

    b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

  • SHA512

    d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

  • SSDEEP

    768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XsHmuuiWcMgjitqGaxdaafnBGCnP13zcy6 total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XsHmuuiWcMgjitqGaxdaafnBGCnP13zcy6 here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Satana\Ransomware.Satana\unpacked.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Satana\Ransomware.Satana\unpacked.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\dbw.exe
      "C:\Users\Admin\AppData\Local\Temp\dbw.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\DOCUME~1\RANSOM~1.SAT\RANSOM~1.SAT\unpacked.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\VSSADMIN.EXE
        "C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2952
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\!satana!.txt
        3⤵
          PID:13232
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe
          3⤵
            PID:13264
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe
            3⤵
              PID:13288
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe
              3⤵
                PID:12224
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0
            1⤵
              PID:11408
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x1
              1⤵
                PID:11468

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\!satana!.txt

                Filesize

                1KB

                MD5

                b71b6af79019846d34214f364eb8ced2

                SHA1

                9461884badbf7a07867dea559cb2967514565ba0

                SHA256

                06199fc48bb1560d90955f6b1c23ba827cea5f74db32eb568fa32de1fcec8ece

                SHA512

                6d7f5c9032cdc0feeb0a07e2bbb7d3e63762d1723c309da9553521fff412d268c8a3ed15d06b4c8db1102354b5d83bda915585f50c9d38695f432bf9abb6e6c7

              • C:\Users\Admin\AppData\Local\Temp\dbw.exe

                Filesize

                72KB

                MD5

                108756f41d114eb93e136ba2feb838d0

                SHA1

                8c6b51923ee7da2f4642c7717db95fbb77d96164

                SHA256

                b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

                SHA512

                d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

              • memory/13264-2451-0x0000000000090000-0x0000000000091000-memory.dmp

                Filesize

                4KB

              • memory/13264-2449-0x0000000000090000-0x0000000000091000-memory.dmp

                Filesize

                4KB