Overview

overview

10

Static

static

3

2024-06-26...na.exe

windows7-x64

2024-06-26...na.exe

windows10-2004-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-26_b77f6f24973caca9a4b5d760720cab95_satana

  • Size

    49KB

  • Sample

    240626-2alf4axcqa

  • MD5

    b77f6f24973caca9a4b5d760720cab95

  • SHA1

    7d970a266bfd7fd3253480574c7ecc42c9a72432

  • SHA256

    b8559ae3347db05fb42aca5c90d4c0908655fb2955a0ef0db04e23d0c35bc698

  • SHA512

    cf8d6c3c09f5a76aae968f8a2d281e96c232ddb2dba5ec9a1c9ef564674bca6cad4cd619903d305dfb76427c59e3e45c1ee827fa57615343454fafab3d43b93b

  • SSDEEP

    768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiw6Dj:Apw10vnAOIUaJh4IXdWXLXTWLfuCj

Score
10/10
satanabootkitdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XckRGrfki7heuskuFavvh14wmRiaAucrPn total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XckRGrfki7heuskuFavvh14wmRiaAucrPn here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Targets

    • Target

      2024-06-26_b77f6f24973caca9a4b5d760720cab95_satana

    • Size

      49KB

    • MD5

      b77f6f24973caca9a4b5d760720cab95

    • SHA1

      7d970a266bfd7fd3253480574c7ecc42c9a72432

    • SHA256

      b8559ae3347db05fb42aca5c90d4c0908655fb2955a0ef0db04e23d0c35bc698

    • SHA512

      cf8d6c3c09f5a76aae968f8a2d281e96c232ddb2dba5ec9a1c9ef564674bca6cad4cd619903d305dfb76427c59e3e45c1ee827fa57615343454fafab3d43b93b

    • SSDEEP

      768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiw6Dj:Apw10vnAOIUaJh4IXdWXLXTWLfuCj

    Score
    10/10
    satanabootkitdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

    • Satana

      Ransomware family which also encrypts the system's Master Boot Record (MBR).

      ransomwaresatana

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks