Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-08-2024 03:40

General

  • Target

    unpacked.exe

  • Size

    72KB

  • MD5

    108756f41d114eb93e136ba2feb838d0

  • SHA1

    8c6b51923ee7da2f4642c7717db95fbb77d96164

  • SHA256

    b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

  • SHA512

    d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

  • SSDEEP

    768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 0C4417665563FACACC6BCADD33341B79 and pay on a Bitcoin Wallet: XsHmuuiWcMgjitqGaxdaafnBGCnP13zcy6 total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 0C4417665563FACACC6BCADD33341B79 this is code; you must send BTC: XsHmuuiWcMgjitqGaxdaafnBGCnP13zcy6 here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\unpacked.exe
    "C:\Users\Admin\AppData\Local\Temp\unpacked.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\AppData\Local\Temp\vnn.exe
      "C:\Users\Admin\AppData\Local\Temp\vnn.exe" {4a6feaa9-5125-11ef-ad6f-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\unpacked.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!satana!.txt

    Filesize

    1KB

    MD5

    3ded20899c7c81e008441b646fa6b96a

    SHA1

    dcd2687c0e7ed577d456ffd26da0565b3326866d

    SHA256

    b7aa982c8ab7795cc5bdc1e63d8e3dcadd5cf0dd50b4712e4b31e6b7eb1da28e

    SHA512

    eb9dbfc8cfe53f1d5f6525e1495c505799b8b86bf0db1c2c3f5ebceefb7a63d779ae3daffbeaad24e08d50e04a81e5bd1bf8b94794a15febe195390cb18e9c3b

  • C:\Users\Admin\AppData\Local\Temp\vnn.exe

    Filesize

    72KB

    MD5

    108756f41d114eb93e136ba2feb838d0

    SHA1

    8c6b51923ee7da2f4642c7717db95fbb77d96164

    SHA256

    b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

    SHA512

    d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa