satana | hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Analysis

max time kernel
600s
max time network
507s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-11-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

10^/10

satana bootkit discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 114F2C1C7F3289308101CECD6F2FDC44 and pay on a Bitcoin Wallet: Xoq9wmiB1vbT7WAkGZWcgex544YGdC93Eb total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 114F2C1C7F3289308101CECD6F2FDC44 this is code; you must send BTC: Xoq9wmiB1vbT7WAkGZWcgex544YGdC93Eb here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Satana family
satana
Executes dropped EXE 1 IoCs

Processes:

fttlwne.exe

pid process

3116 fttlwne.exe

pid	process
3116	fttlwne.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unpacked.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\khkvwcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	unpacked.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

17 raw.githubusercontent.com
28 raw.githubusercontent.com
1 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

fttlwne.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 fttlwne.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

def not a virus.exe

description pid process target process

PID 3816 set thread context of 2864 3816 def not a virus.exe def not a virus.exe
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2056 2864 WerFault.exe def not a virus.exe

flow	ioc
17	raw.githubusercontent.com
28	raw.githubusercontent.com
1	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	fttlwne.exe

description	pid	process	target process
PID 3816 set thread context of 2864	3816	def not a virus.exe	def not a virus.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

pid	pid_target	process	target process
2056	2864	WerFault.exe	def not a virus.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

def not a virus.exeunpacked.exefttlwne.exedef not a virus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def not a virus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpacked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fttlwne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def not a virus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763254428343842"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 2 IoCs

Processes:

chrome.exeunpacked.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Satana.zip:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\fttlwne.exe\:Zone.Identifier:$DATA	unpacked.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2456 chrome.exe
2456 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

1844 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2456 chrome.exe
2456 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeCreatePagefilePrivilege	2456	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

OpenWith.exe

pid	process
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2456 wrote to memory of 796	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 796	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2288	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2140	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 2140	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe
PID 2456 wrote to memory of 1776	2456	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb78fdcc40,0x7ffb78fdcc4c,0x7ffb78fdcc58
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,555282725218396330,17892856017084946044,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,555282725218396330,17892856017084946044,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,555282725218396330,17892856017084946044,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,555282725218396330,17892856017084946044,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,555282725218396330,17892856017084946044,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,555282725218396330,17892856017084946044,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,555282725218396330,17892856017084946044,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1564

C:\Users\Admin\Downloads\Ransomware.Satana\def not a virus.exe
"C:\Users\Admin\Downloads\Ransomware.Satana\def not a virus.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3816
- C:\Users\Admin\Downloads\Ransomware.Satana\def not a virus.exe
  "C:\Users\Admin\Downloads\Ransomware.Satana\def not a virus.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 416
    3⤵
    - Program crash
    PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 2864
1⤵
PID:392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Users\Admin\Downloads\Ransomware.Satana\unpacked.exe
"C:\Users\Admin\Downloads\Ransomware.Satana\unpacked.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2340
- C:\Users\Admin\AppData\Local\Temp\fttlwne.exe
  "C:\Users\Admin\AppData\Local\Temp\fttlwne.exe" {33ae8d1b-84e4-11ef-af9b-806e6f6e6963} "C:\Users\Admin\DOWNLO~1\RANSOM~1.SAT\unpacked.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
80d53a0318ea731d988f3945c8048ece

SHA1
d6b15545504ddf311587910ec49d2658a86489ab

SHA256
36a1ff312ef1e2328bc148ab8891e1cb483a3a9589680cb2d66ca9f18a0ea8e9

SHA512
90da77038d24134441414c7cebe417d0f246f3582c7d2d33f94036977d01d16dab337fa574578a560f2b274ba631de14e900c0a9fd740ee0fa258ec67aec4582

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
30efde51f9ca3292c7b079a2f8425916

SHA1
69c06416123546b6d8d5cb2c0c4fd8dc258eed68

SHA256
9dab70a4fd1b5455c36103ac3e21b40dae1b5558f47fe6f1b0828735f78ea77a

SHA512
06ab7efa98f230a6171e37f00028a49cc9e1099a881802a794abe553633a12272e7d8abaf660ba36f6967438815276c109ed558fb6b1ff48c5b98dd1aa3f1a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a4a6c86577b6457b9196551939fbbb08

SHA1
c0671ca17760dded122c25485662a8a3ad0f29b1

SHA256
3288a901d2c610f0bac7db20547d717c846588257d8a7ced0ca29fa93aaebe81

SHA512
d18b46806541759e2fc00190c978095db49719385abb51d1a834fdb1d1374bf6a56660a5679cf13a2c35c984f9834b8dab32de4753555fba1b9a014f2c068069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
8515aeebbc59b087ee0a0fa4747683b4

SHA1
4e913d7f4d66df79958fbbcd6f138bd8520a5801

SHA256
f3662255ee1bbacdf4a74144361043e522980d5d902753c6d29b3ff626cfefb9

SHA512
78ac9ee663de1a3c361a76f9662d9ccb288c353c3a9613d65c8c86a61d2aa8f561f8277c3230b16b1c910d41818909da51056280fb8b4d58a3abe80b170df8c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
eb68a1fcafe9fd69658a8ecfb5f0f905

SHA1
1e8cc3c289b78cb515a4a16cf03a2b953d51effd

SHA256
a9a08261e104b4660b386d8648c56efc61f760b80ac8ecb51991f43c915cb509

SHA512
b771ad49330848d4a9213d815841d84b35d5a227d77be27f3622ce121ddcd9a7a59061d8339512985ffae431acae43e5765a7f54cce04343e645ba0e3fd3730d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
017bce8b74053f7bf264fbf29ed44af4

SHA1
8a3ec56e3a58801e470c51a9f9044e3a13bba39d

SHA256
577703c67b21959a412ea22d7bd09c458ed40e9e735c17670453087cf63a4791

SHA512
77a506c59958249ab1405feffdcf762d5a09ee2f44edc385a213d9e7d178ec021b719874f688a8c389b2dde7998aed84599deebe99646cc8c9749a1ea5518e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8714590ced463dc934dbdec974026414

SHA1
1d9cf03154ccd610b6b37b858513e2f4a59e945c

SHA256
e9f85f7362117e863d3f40f7c2fb01b3de5938c8e8dfe7a8393972276833f8d1

SHA512
0412a7dce3df0925469171bddb81f74eae71db25df5287c536099a6a3a6dc613a142baff247a8827541bcc1dddcb566adbf8c6d72a8126fec9901dbbaa6bb716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c4dceff01ddfb54516be1c4afd6c9edc

SHA1
a16847defffe69265db13147cc5fb5c79f330ecd

SHA256
0a15b1e806207fa51d97cbb92efc040ed1b7cee522f263489e74bad631afa831

SHA512
b4d0167b7af0846a4cb2d12237e80266d8e30e10d445b3700fe302d7e97d54560ef0d320d1ac534faf08aef44024f93fab50beffeeddce6a0ba77463f9283057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f71b51c2dc9e9b13e5b3afb4e89d023d

SHA1
ce0fa2664d1b1c09adef0ec0223ed25eeea64da2

SHA256
4f6d33e9b5621a6253905b74b861968d6efad954651ce66e6a33b5e334f347f4

SHA512
c2bb6127cc01073f9c327c1dce03778e994ee84c0ad86ecda3f5dc22081daca2029eab9505f58d609eceec9e0efba8fc1e6dd7a627158885f98ed1225e137415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3ef840e7ec34f23ad8470242669357ca

SHA1
7057dea5e83c51ab1a308e54b5953eb95e53e482

SHA256
09e9569d8bd3eb1d2948af0cd3153a3f7068d9e80252e90fed75b49243d43a81

SHA512
c26de3653fb875e84eb77d307d7f901fa5440b0f88bf8a35c957f55c096310e6c5abd80dd5cb5a6f48b44053de46d64e3f5b8aadf10cdbfd55c68e50238519cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7b8c935939c521c79ec1d656376ef929

SHA1
522c24458d628c8021e73b1011b74b16fe47f59e

SHA256
f2bfefe008b7542fda484cb213b6a7d3689a62563b97fb569cfab20973ed9e37

SHA512
fd1593c6f01ecd1c3fa3577aac26a866dc81b305d05290f5b302b75682d9aeae71e4287b5174e673a92d8ab61f92261405ce81b370b953b7dc3002134db7170c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c197d4c05de4484c0dc1c52e853a0bb

SHA1
eef3a321c36e2e3acb7b9db73c3c3af7c2d37623

SHA256
4500d7545bcd46ac7195a8dcbc811854220cc8d86c4d3f38932ed6d4e794abe8

SHA512
398025f2921be716200a06d89bf57f7a17cea55204e839844c334992bad082bcb4df62d080b1e7a6f40140bf0131918f5b1842324f73a21f4cf45a904bee7768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad8d9b660df3f48d78038af91ba1aea9

SHA1
c9463bf66112ac9353565c94ba9297aec44b1baf

SHA256
26008abeb96e51d762fcd7352a1526a0bc86af6ba0d99934cd75a6654177527a

SHA512
409b50e002f37f491606a78f0d2fe3c8aaa45c08498f1cbfacf24be98477610b57b5b14d65085b2ecaaf22bbe60c254ef92dbc3968ceb3832e46b0418b07c598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b0f03c422c91a4400af1e7f0cc8a6d4

SHA1
98c855457afa882174ad636631c977895ac8ad1d

SHA256
12727ffdd47b598919a516b33a02ff649a7e04deba0e78f66fd12370178c541d

SHA512
067d06c56c1b223539dbd50905e701aeb9a93399876ad7a52ada14e4f659c4e2a906e1b20d07a75587ac76f1f4f0c2a689d819b987acad31bb7609300493bcac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be998afe1eb125725d8d15676cea4b29

SHA1
3d37c5795974a36ea05394bb41b6afcd5e05a414

SHA256
b0ab04c86709fd2aa9eb6933e8439be8f6cfbcf2dbe881b06e4525bc79f853fa

SHA512
c853fbc155cf078cd97b81e94fc14c8fd4b551f78bdd190f0cf9cbb9ddaa7dbc1ca930517e74c3d732ead93f95f16ae8db039f6f68a884cfccd4745f621b1330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db8ebb7d0ddf4ff59c8bc124e4a8182f

SHA1
f9db83b2e14ae60f84d5efc799e1fce2bd669da0

SHA256
3acfab1930d7145635458da803ae0bfa9fe8e5615ad6c24a40e65ad6c433ed92

SHA512
d9e3e666a77f8b49b6f97684997f2a5b4f65aab8c991896fd67c32af91ce2f6f60acfdfcfcc4b4c9ca2fac4e0453560dd4b5e6a5aad447ff4d8adbc8b7fc68b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
718dde78f11b7212e8265de7847b1aa2

SHA1
d3904ae343ab987b8f38f06491939c7eedce7764

SHA256
b1c2618c440a6125e489ec04cd78a61ad3ef6aa494ba3f5c2ac9bd7251ccd2ad

SHA512
07fe00c0e69fa2f4c73935834b2fb1dfe13e9594e7a765ad7daae6cf2c721f45949b97843d7f229a41077ea00db3f7d77bfb095d0c1ef7aa9f98e8d37439565c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
172a10a70a88c7b49ae441d2adf8bde5

SHA1
ae228879a1bbb5349d61428a2826a3cd8fe4a1ba

SHA256
36e1abd98952c1659114582da23309f1aaeb97ab17b745169fe84dcb06340395

SHA512
c90b337c4abaa39564c774cab38b20e5a0c808f23914eb3abe5e7506e6411597bb028ec075bc2c5d59eafa353f9723f938ab74798dd5c49f5ee088625059a333

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1f402fbd5bcf58d4241611ded69a6c9e

SHA1
3ce17c510c1c5def8b4d906a497a69c69a344bb5

SHA256
e36e3d2eff29561907f70ea5e92d8b80edbbc72f34efb6a938464b678ef3cf93

SHA512
9978e22b53caf2e280474bf338956cc16ace61dfeff780a778cd5fa7a0b6b119147e3ecf9539e2d332872ea7f2b0da177517c0fb577d87e0783bd79301e16be0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
c3fce8a33164be1ac1406543ac7ac12d

SHA1
a72db59550b0f745c6c76388a518b4f93f38e0b1

SHA256
173f580fdc34ecc2a6324a70d5b509349ddc785b051ed3c25067d03b3626d59d

SHA512
2b398c093a3e4090bfa84ea4b20a3995669701735bcac8b329ba860d93373f97ee228b507c040183e09e2c5903b85edbf2ecbc9dcff504c99e0f3ac0433f1a0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
74b282ffc73b3ebd79a38207d1cc6cf2

SHA1
862de21a61d0cb27ef70e207278c0ed0590a0c6a

SHA256
6f5d76b56178e51ba4aafc160920629f8c43a7e5ba95a42e6e412a1c1227308a

SHA512
30d6cfab0ffa409be77326fd0322103f7cf017cbe9df71d305a7f7848205c4286359787a891c79dca672f44b608377ccfdea8da7b6d0094a1431726b30a087f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
afd31c6db20ea506f919c81ecc748019

SHA1
2a28880782c3664b2760099f9aa9b8e883422966

SHA256
969226c001c0ea46f2343787d50bd7b40faeabf8195f45ecd46df84be83f4461

SHA512
f6bf64a8797ce36ac20100b8c2b8d414cc4825c6905b8b514ed7dde0ff5aad89b6a8ae779b674a33256329878d7cc5feb3800a11a7fc68f8d261d909ed2f08fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Filesize
1KB

MD5
b7609ea1055deb6bb56b38272ab8e1e2

SHA1
3a808c5b2aae3117f6e31f29049766856c4d2f36

SHA256
23ea61303fb963070c30d549b11375970ae25e52217b9185b5f1579fbe6ca7ef

SHA512
ea1d2ff3dfc4d5bf50451581eef59d7e97ad83bf7fe1518268b3a74f0bb11d05b9570048c77232130e302942d63d5e809dc2c15c9b0654f4c694bcbf85df7d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fttlwne.exe

Filesize
72KB

MD5
108756f41d114eb93e136ba2feb838d0

SHA1
8c6b51923ee7da2f4642c7717db95fbb77d96164

SHA256
b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

SHA512
d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fttlwne.exe:Zone.Identifier

Filesize
86B

MD5
df98628703f0cffd2704fa16ccc69d4e

SHA1
4bb8491eb44a8991058b71ef1eeb0d865ee055c7

SHA256
1d6c0da412b7a4df76d64cae7ed6ad600bc1ca19db7a79b52f619097e76c8fa6

SHA512
e51a356b78b6a56b2cb4541e91316189aaabb60699a76fcfb29e26294e36e7fedab3888989e6925ea86ba6654018030ed0c5ae75e75214c3864e1a89dd6d9e82

Download Submit
C:\Users\Admin\Downloads\Ransomware.Satana.zip

Filesize
57KB

MD5
82f621944ee2639817400befabedffcf

SHA1
c183ae5ab43b9b3d3fabdb29859876c507a8d273

SHA256
4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f

SHA512
7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b

Download Submit
C:\Users\Admin\Downloads\Ransomware.Satana.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\crashpad_2456_VZOSICBLEACVDNEX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2864-449-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-450-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-452-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-454-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-455-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download