Overview

overview

10

Static

static

7

20240830ba...na.exe

windows7-x64

20240830ba...na.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe

  • Size

    144KB

  • MD5

    baaaf1539a72ab606ebdb8f3fc1b9e79

  • SHA1

    edcc94fcc1bb8c70e5ee2d558e22ba3af9350b88

  • SHA256

    cd2b9754497e4b364242705cc435703bc110e1631ff3ec3064f8d05e55e6b268

  • SHA512

    f260103ba23e4a6bd9b6b5ddcf84bf6a1f51d41dfb6624cc736e713443da1b860e4a21983c50d71e86004f936aa82b78df916a9a57434119d03ce8eccb5366ca

  • SSDEEP

    768:oebF010RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtwq6gTl7:oep010vnAOIUaJh4IXdWXLXTWLfuR

Score
10/10
satanabootkitdiscoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 2405A4C71764E4DD5F21F96288ACCDE6 and pay on a Bitcoin Wallet: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 2405A4C71764E4DD5F21F96288ACCDE6 this is code; you must send BTC: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Signatures

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

    ransomwaresatana
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
    "C:\Users\Admin\AppData\Local\Temp\20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe
      "C:\Users\Admin\AppData\Local\Temp\20240830baaaf1539a72ab606ebdb8f3fc1b9e79satana.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\ymdid.exe
        "C:\Users\Admin\AppData\Local\Temp\ymdid.exe" {96169552-510d-11ef-8d47-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\202408~1.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Users\Admin\AppData\Local\Temp\ymdid.exe
          "C:\Users\Admin\AppData\Local\Temp\ymdid.exe" {96169552-510d-11ef-8d47-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\202408~1.EXE"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!satana!.txt
    Filesize

    1KB

    MD5

    f8716c4dfb09a3f33d212528815dadb9

    SHA1

    97f5e66b3264b2f07462a18b41f2450b8467384d

    SHA256

    dd41fa4b272f3b9abe7ae130b337c528d6f708afa34010030a458a7277291450

    SHA512

    0f99710600271c15f010f6d199001059b35ecf880b43bbc7998eb620f256fee2bec1ae1cb711fcc43c1eb7a13a3969786c4e8e4c8e7f374a96c5318c878b634f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ymdid.exe
    Filesize

    144KB

    MD5

    baaaf1539a72ab606ebdb8f3fc1b9e79

    SHA1

    edcc94fcc1bb8c70e5ee2d558e22ba3af9350b88

    SHA256

    cd2b9754497e4b364242705cc435703bc110e1631ff3ec3064f8d05e55e6b268

    SHA512

    f260103ba23e4a6bd9b6b5ddcf84bf6a1f51d41dfb6624cc736e713443da1b860e4a21983c50d71e86004f936aa82b78df916a9a57434119d03ce8eccb5366ca

    Download Submit

  • memory/2028-1-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2028-4-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2028-2-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2028-7-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2028-9-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2028-12-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2892-30-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2892-23-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-6-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3004-0-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3840-31-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3840-32-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3840-34-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3840-35-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3840-36-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download