satana | f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6

Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

30-06-2024 00:59

20-06-2024 02:02

20-06-2024 01:44

19-06-2024 01:10

18-06-2024 20:40

18-06-2024 13:45

Analysis

max time kernel
1798s
max time network
1481s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documents/Ransomware.Satana/Ransomware.Satana/unpacked.exe
Size

72KB
MD5

108756f41d114eb93e136ba2feb838d0
SHA1

8c6b51923ee7da2f4642c7717db95fbb77d96164
SHA256

b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
SHA512

d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa
SSDEEP

768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2

Score

10^/10

satana bootkit discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: F6D375DC0C4519946836950E8FD28609 and pay on a Bitcoin Wallet: Xoq9wmiB1vbT7WAkGZWcgex544YGdC93Eb total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: F6D375DC0C4519946836950E8FD28609 this is code; you must send BTC: Xoq9wmiB1vbT7WAkGZWcgex544YGdC93Eb here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana

Deletes itself 1 IoCs

pid	Process
2800	cyztsrgj.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	cyztsrgj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyfrk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	unpacked.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	cyztsrgj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpacked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyztsrgj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2800	cyztsrgj.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 2800	3372	unpacked.exe	82
PID 3372 wrote to memory of 2800	3372	unpacked.exe	82
PID 3372 wrote to memory of 2800	3372	unpacked.exe	82

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Satana\Ransomware.Satana\unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Satana\Ransomware.Satana\unpacked.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\Temp\cyztsrgj.exe
  "C:\Users\Admin\AppData\Local\Temp\cyztsrgj.exe" {7c8148bb-5125-11ef-9bcb-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\DOCUME~1\RANSOM~1.SAT\RANSOM~1.SAT\unpacked.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Filesize
1KB

MD5
72a3fdee6b12f12d6d3d3f6fd32c037d

SHA1
c4ac1223fd33742b9485226957c08d01d0b29d96

SHA256
9aa91f08f321f1fd8537efcf31be97e2696bac809fd18d02ee329f0130a6d689

SHA512
da6a3b5b403840979cf61a94b7ab249dd34df8c71ebe368d59557a51300d7d332b76a9d90f3ed842d8c13a36a8a61cbf6f85feaeedcbabd80bb4f81248573d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyztsrgj.exe

Filesize
72KB

MD5
108756f41d114eb93e136ba2feb838d0

SHA1
8c6b51923ee7da2f4642c7717db95fbb77d96164

SHA256
b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

SHA512
d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads