Overview
overview
10Static
static
7Documents/...er.exe
windows10-2004-x64
10Documents/...ll.exe
windows10-2004-x64
3Documents/...aw.exe
windows10-2004-x64
10Documents/...ky.exe
windows10-2004-x64
10Documents/...31.exe
windows10-2004-x64
1Documents/...3 .exe
windows10-2004-x64
3Documents/...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows10-2004-x64
10ee29b9c013...bc6.js
windows10-2004-x64
3fe2e5d0543...L9.rtf
windows10-2004-x64
1Documents/...uy.hta
windows10-2004-x64
10Documents/...st.exe
windows10-2004-x64
7Documents/...39.exe
windows10-2004-x64
6Documents/...5c.exe
windows10-2004-x64
Documents/...00.exe
windows10-2004-x64
7Supplement...16.scr
windows10-2004-x64
3Documents/...ZSFwgb
windows10-2004-x64
1Documents/...96.exe
windows10-2004-x64
5Documents/...ed.exe
windows10-2004-x64
10Documents/...70.exe
windows10-2004-x64
9Documents/...67.exe
windows10-2004-x64
1Documents/...56.exe
windows10-2004-x64
1Documents/...ab.exe
windows10-2004-x64
8Documents/...3a.exe
windows10-2004-x64
8Documents/...73.exe
windows10-2004-x64
8ed01ebfbc9...aa.exe
windows10-2004-x64
10Documents/...aa.exe
windows10-2004-x64
10Resubmissions
22-08-2024 18:43
240822-xc563asamh 1021-08-2024 17:16
240821-vtjnaathnq 1030-06-2024 00:59
240630-bcjr6svbkk 1020-06-2024 02:02
240620-cf43ysxbnk 1020-06-2024 01:44
240620-b5v1xawemk 1019-06-2024 01:10
240619-bjmseavfmp 1018-06-2024 20:40
240618-zfwsxawdpa 1018-06-2024 13:45
240618-q2vcjawdle 10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 01:44
Behavioral task
behavioral1
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral10
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Documents/Ransomware.Rex/WTEpZSFwgb
Resource
win10v2004-20240611-en
Behavioral task
behavioral18
Sample
Documents/Ransomware.Satana/Ransomware.Satana/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
Documents/Ransomware.Satana/Ransomware.Satana/unpacked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
Documents/Ransomware.WannaCry/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10v2004-20240508-en
General
-
Target
Documents/Ransomware.Satana/Ransomware.Satana/unpacked.exe
-
Size
72KB
-
MD5
108756f41d114eb93e136ba2feb838d0
-
SHA1
8c6b51923ee7da2f4642c7717db95fbb77d96164
-
SHA256
b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
-
SHA512
d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa
-
SSDEEP
768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Signatures
-
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation unpacked.exe -
Deletes itself 1 IoCs
pid Process 1596 fzi.exe -
Executes dropped EXE 1 IoCs
pid Process 1596 fzi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jofs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt" unpacked.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 fzi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1596 fzi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1596 1732 unpacked.exe 91 PID 1732 wrote to memory of 1596 1732 unpacked.exe 91 PID 1732 wrote to memory of 1596 1732 unpacked.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Satana\Ransomware.Satana\unpacked.exe"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Satana\Ransomware.Satana\unpacked.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\fzi.exe"C:\Users\Admin\AppData\Local\Temp\fzi.exe" {cf3aa7ba-0d68-11ef-a070-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\DOCUME~1\RANSOM~1.SAT\RANSOM~1.SAT\unpacked.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52ce0ee149b8f627a1805bed28920ed34
SHA1432c84630fed3c3ab79ed353c386a4ce5f2f3240
SHA25612fe92e3ec58f591c5a860ecebe6633e201187b0d796e2c88606655c4b9fa79e
SHA51253f741ce16ce416e19472045574dcd24b964466458a439f4992bb991f15b2fe8d15b903aa769674dccce3e3e2eb49ef985994f42bf98cc459c3f58e90f11af15
-
Filesize
72KB
MD5108756f41d114eb93e136ba2feb838d0
SHA18c6b51923ee7da2f4642c7717db95fbb77d96164
SHA256b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
SHA512d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa