satana | cd2b9754497e4b364242705cc435703bc110e1631ff3ec3064f8d05e55e6b268

Reason

Machine shutdown

General

Target

20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
Size

144KB
MD5

baaaf1539a72ab606ebdb8f3fc1b9e79
SHA1

edcc94fcc1bb8c70e5ee2d558e22ba3af9350b88
SHA256

cd2b9754497e4b364242705cc435703bc110e1631ff3ec3064f8d05e55e6b268
SHA512

f260103ba23e4a6bd9b6b5ddcf84bf6a1f51d41dfb6624cc736e713443da1b860e4a21983c50d71e86004f936aa82b78df916a9a57434119d03ce8eccb5366ca
SSDEEP

768:oebF010RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtwq6gTl7:oep010vnAOIUaJh4IXdWXLXTWLfuR

Score

10^/10

satana bootkit defense_evasion discovery execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: Xqz5WKhkQJBub7XABd4TJANXtQXGCacNUG here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Deletes itself 1 IoCs

Processes:

atv.exe

pid process

2324 atv.exe
Executes dropped EXE 2 IoCs

Processes:

atv.exeatv.exe

pid process

2596 atv.exe
2324 atv.exe

pid	process
2324	atv.exe

pid	process
2596	atv.exe
2324	atv.exe

Loads dropped DLL 6 IoCs

Processes:

20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exeatv.exeatv.exe

pid	process
2828	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
2828	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
2828	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
2828	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
2596	atv.exe
2324	atv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2676-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2676-6-0x0000000000400000-0x0000000000424000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\atv.exe	upx
behavioral1/memory/2596-33-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2596-42-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\ufvrixf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

atv.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 atv.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	atv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exeatv.exe

description	pid	process	target process
PID 2676 set thread context of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2596 set thread context of 2324	2596	atv.exe	atv.exe

Drops file in Program Files directory 64 IoCs

Processes:

atv.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml	atv.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	atv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	atv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	atv.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\!satana!.txt	atv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	atv.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\!satana!.txt	atv.exe
File created	C:\Program Files (x86)\Uninstall Information\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\[email protected]___bg_Country.gif	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png	atv.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	atv.exe
File created	C:\Program Files\Windows Defender\!satana!.txt	atv.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml	atv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png	atv.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\!satana!.txt	atv.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\!satana!.txt	atv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\!satana!.txt	atv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\!satana!.txt	atv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg	atv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png	atv.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\[email protected]___bg_FormsHomePage.gif	atv.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png	atv.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\!satana!.txt	atv.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\[email protected][email protected]___Apex.xml	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg	atv.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	atv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	atv.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg	atv.exe
File created	C:\Program Files\Common Files\System\Ole DB\!satana!.txt	atv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml	atv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png	atv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	atv.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\!satana!.txt	atv.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	atv.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\!satana!.txt	atv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg	atv.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml	atv.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png	atv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml	atv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	atv.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png	atv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png	atv.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\!satana!.txt	atv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png	atv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exeVSSADMIN.EXErundll32.exeNOTEPAD.EXErundll32.exerundll32.exe20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exeatv.exeatv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSSADMIN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atv.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

VSSADMIN.EXE

pid process

2016 VSSADMIN.EXE

pid	process
2016	VSSADMIN.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

atv.exevssvc.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2324	atv.exe
Token: SeBackupPrivilege	1228	vssvc.exe
Token: SeRestorePrivilege	1228	vssvc.exe
Token: SeAuditPrivilege	1228	vssvc.exe
Token: SeShutdownPrivilege	2324	atv.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exeatv.exeatv.exe

description	pid	process	target process
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2676 wrote to memory of 2828	2676	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
PID 2828 wrote to memory of 2596	2828	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	atv.exe
PID 2828 wrote to memory of 2596	2828	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	atv.exe
PID 2828 wrote to memory of 2596	2828	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	atv.exe
PID 2828 wrote to memory of 2596	2828	20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2596 wrote to memory of 2324	2596	atv.exe	atv.exe
PID 2324 wrote to memory of 2016	2324	atv.exe	VSSADMIN.EXE
PID 2324 wrote to memory of 2016	2324	atv.exe	VSSADMIN.EXE
PID 2324 wrote to memory of 2016	2324	atv.exe	VSSADMIN.EXE
PID 2324 wrote to memory of 2016	2324	atv.exe	VSSADMIN.EXE
PID 2324 wrote to memory of 15716	2324	atv.exe	NOTEPAD.EXE
PID 2324 wrote to memory of 15716	2324	atv.exe	NOTEPAD.EXE
PID 2324 wrote to memory of 15716	2324	atv.exe	NOTEPAD.EXE
PID 2324 wrote to memory of 15716	2324	atv.exe	NOTEPAD.EXE
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15800	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15832	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe
PID 2324 wrote to memory of 15884	2324	atv.exe	rundll32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
"C:\Users\Admin\AppData\Local\Temp\20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
"C:\Users\Admin\AppData\Local\Temp\20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\atv.exe
"C:\Users\Admin\AppData\Local\Temp\atv.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\202408~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\atv.exe
"C:\Users\Admin\AppData\Local\Temp\atv.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\202408~1.EXE"
4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\VSSADMIN.EXE
"C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2016

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\!satana!.txt
5⤵
- System Location Discovery: System Language Discovery
PID:15716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
5⤵
- System Location Discovery: System Language Discovery
PID:15800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
5⤵
- System Location Discovery: System Language Discovery
PID:15832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
5⤵
- System Location Discovery: System Language Discovery
PID:15884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:15852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:16172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!satana!.txt
Filesize
1KB

MD5
54b13de8a305d07f6b7e5fa895fc2249

SHA1
3ec9f269b64d67e19b9804604f51b25e9fdb668d

SHA256
36953bf2e577ebf789c6efe5713810d063c7030c718c51282074076f072b59a2

SHA512
7227543e565d92925c5cd426d85e6b2a62b8b88d31e4cf6b85f33e3c9b6c4a5a07a1477dc98305b1fed7b2d073cac8158d4c35361483a4984dc5e0eedf10c2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\atv.exe
Filesize
144KB

MD5
baaaf1539a72ab606ebdb8f3fc1b9e79

SHA1
edcc94fcc1bb8c70e5ee2d558e22ba3af9350b88

SHA256
cd2b9754497e4b364242705cc435703bc110e1631ff3ec3064f8d05e55e6b268

SHA512
f260103ba23e4a6bd9b6b5ddcf84bf6a1f51d41dfb6624cc736e713443da1b860e4a21983c50d71e86004f936aa82b78df916a9a57434119d03ce8eccb5366ca

Download Submit
memory/2324-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-4838-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/2324-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-94-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-97-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-47-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-49-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/2324-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-107-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2596-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2596-43-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2676-7-0x00000000001D0000-0x00000000001EB000-memory.dmp

Filesize
108KB

Download
memory/2676-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2676-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2828-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-15-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2828-22-0x0000000002130000-0x0000000002154000-memory.dmp

Filesize
144KB

Download
memory/2828-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-4-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads