Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:37
Static task
static1
Behavioral task
behavioral1
Sample
satan_1.0.0.14.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
satan_1.0.0.14.vir.exe
Resource
win10
General
-
Target
satan_1.0.0.14.vir.exe
-
Size
184KB
-
MD5
802e683af9dae89d568acaab6715ce6c
-
SHA1
66777253c5d7691b409ba23e587fd530dd3b9291
-
SHA256
5036daccd356ba9794957dc02668b903e2779eb2865aa2cf6605c8cb9f639da6
-
SHA512
da73219d332dfbd15a862511ce9746d9286fe18dc526e6e9545bedddeb035be218a5b3393b5ff68e247faef0254b05b2b73df72a076ee344dd44e5b93bcfefc9
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 173 IoCs
Processes:
satan_1.0.0.14.vir.exeeqge.exepid process 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 2892 satan_1.0.0.14.vir.exe 3892 eqge.exe 3892 eqge.exe 3892 eqge.exe 3892 eqge.exe 3892 eqge.exe 3892 eqge.exe 3892 eqge.exe 3892 eqge.exe 3892 eqge.exe 3892 eqge.exe -
Executes dropped EXE 2 IoCs
Processes:
eqge.exeeqge.exepid process 3892 eqge.exe 3352 eqge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
Explorer.EXEvssvc.exedescription pid process Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeBackupPrivilege 804 vssvc.exe Token: SeRestorePrivilege 804 vssvc.exe Token: SeAuditPrivilege 804 vssvc.exe Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 2984 Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3224 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
satan_1.0.0.14.vir.exesatan_1.0.0.14.vir.exeeqge.exeeqge.exeExplorer.EXEdescription pid process target process PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 2892 wrote to memory of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 3908 wrote to memory of 3892 3908 satan_1.0.0.14.vir.exe eqge.exe PID 3908 wrote to memory of 3892 3908 satan_1.0.0.14.vir.exe eqge.exe PID 3908 wrote to memory of 3884 3908 satan_1.0.0.14.vir.exe cmd.exe PID 3908 wrote to memory of 3884 3908 satan_1.0.0.14.vir.exe cmd.exe PID 3908 wrote to memory of 3884 3908 satan_1.0.0.14.vir.exe cmd.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3892 wrote to memory of 3352 3892 eqge.exe eqge.exe PID 3352 wrote to memory of 2668 3352 eqge.exe sihost.exe PID 3352 wrote to memory of 2668 3352 eqge.exe sihost.exe PID 3352 wrote to memory of 2668 3352 eqge.exe sihost.exe PID 3352 wrote to memory of 2680 3352 eqge.exe svchost.exe PID 3352 wrote to memory of 2680 3352 eqge.exe svchost.exe PID 3352 wrote to memory of 2680 3352 eqge.exe svchost.exe PID 3352 wrote to memory of 2784 3352 eqge.exe taskhostw.exe PID 3352 wrote to memory of 2784 3352 eqge.exe taskhostw.exe PID 3352 wrote to memory of 2784 3352 eqge.exe taskhostw.exe PID 3352 wrote to memory of 2984 3352 eqge.exe Explorer.EXE PID 3352 wrote to memory of 2984 3352 eqge.exe Explorer.EXE PID 3352 wrote to memory of 2984 3352 eqge.exe Explorer.EXE PID 3352 wrote to memory of 3140 3352 eqge.exe ShellExperienceHost.exe PID 3352 wrote to memory of 3140 3352 eqge.exe ShellExperienceHost.exe PID 3352 wrote to memory of 3140 3352 eqge.exe ShellExperienceHost.exe PID 3352 wrote to memory of 3156 3352 eqge.exe SearchUI.exe PID 3352 wrote to memory of 3156 3352 eqge.exe SearchUI.exe PID 3352 wrote to memory of 3156 3352 eqge.exe SearchUI.exe PID 3352 wrote to memory of 3380 3352 eqge.exe RuntimeBroker.exe PID 3352 wrote to memory of 3380 3352 eqge.exe RuntimeBroker.exe PID 3352 wrote to memory of 3380 3352 eqge.exe RuntimeBroker.exe PID 3352 wrote to memory of 3700 3352 eqge.exe DllHost.exe PID 3352 wrote to memory of 3700 3352 eqge.exe DllHost.exe PID 3352 wrote to memory of 3700 3352 eqge.exe DllHost.exe PID 3352 wrote to memory of 3280 3352 eqge.exe backgroundTaskHost.exe PID 3352 wrote to memory of 3280 3352 eqge.exe backgroundTaskHost.exe PID 3352 wrote to memory of 3280 3352 eqge.exe backgroundTaskHost.exe PID 3352 wrote to memory of 3856 3352 eqge.exe Conhost.exe PID 3352 wrote to memory of 3856 3352 eqge.exe Conhost.exe PID 3352 wrote to memory of 3856 3352 eqge.exe Conhost.exe PID 2984 wrote to memory of 3224 2984 Explorer.EXE vssadmin.exe PID 2984 wrote to memory of 3224 2984 Explorer.EXE vssadmin.exe PID 2984 wrote to memory of 3352 2984 Explorer.EXE eqge.exe PID 2984 wrote to memory of 3352 2984 Explorer.EXE eqge.exe PID 2984 wrote to memory of 3352 2984 Explorer.EXE eqge.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
satan_1.0.0.14.vir.exeeqge.exedescription pid process target process PID 2892 set thread context of 3908 2892 satan_1.0.0.14.vir.exe satan_1.0.0.14.vir.exe PID 3892 set thread context of 3352 3892 eqge.exe eqge.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Explorer.EXEeqge.exepid process 2984 Explorer.EXE 2984 Explorer.EXE 2984 Explorer.EXE 2984 Explorer.EXE 3352 eqge.exe 3352 eqge.exe 3352 eqge.exe 3352 eqge.exe 3352 eqge.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 2984 Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A70C706D-48DD-651B-78C8-E167E45F5247} = "C:\\Users\\Admin\\AppData\\Roaming\\Reux\\eqge.exe" Explorer.EXE
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SendNotifyMessage
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.14.vir.exe"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.14.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.14.vir.exe"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.14.vir.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Reux\eqge.exe"C:\Users\Admin\AppData\Roaming\Reux\eqge.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Reux\eqge.exe"C:\Users\Admin\AppData\Roaming\Reux\eqge.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_61896801.bat"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp_61896801.bat
-
C:\Users\Admin\AppData\Roaming\Reux\eqge.exe
-
C:\Users\Admin\AppData\Roaming\Reux\eqge.exe
-
C:\Users\Admin\AppData\Roaming\Reux\eqge.exe
-
memory/3224-11-0x0000000000000000-mapping.dmp
-
memory/3352-7-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3352-8-0x0000000000401D2C-mapping.dmp
-
memory/3352-10-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3884-5-0x0000000000000000-mapping.dmp
-
memory/3892-3-0x0000000000000000-mapping.dmp
-
memory/3908-2-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3908-0-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3908-1-0x0000000000401A8B-mapping.dmp