84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6

General

Target

satan_1.0.0.6.vir.exe
Size

186KB
MD5

b15b72290de91e819900fa1a5b44d149
SHA1

7182c6b1f970d882ef7e1c6c4608c43b80b6b381
SHA256

84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6
SHA512

1bc3225884abca71be1eb1cc1b16dc82fec8c657e0992957d93687e45e40e38aba701571f9f58ea7100b464ba2d64b0600548889c92826f17708eabc43822100

Score

9^/10

evasion ransomware persistence trojan

Malware Config

Signatures

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1320 Explorer.EXE
1320 Explorer.EXE
1320 Explorer.EXE
1320 Explorer.EXE

pid	process
1320	Explorer.EXE
1320	Explorer.EXE
1320	Explorer.EXE
1320	Explorer.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7A26B6E5-3134-D57A-47BA-9CB0B8D11DB7} = "C:\\Users\\Admin\\AppData\\Roaming\\Yndofo\\rafi.exe"	Dwm.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

satan_1.0.0.6.vir.exerafi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	satan_1.0.0.6.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rafi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rafi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	satan_1.0.0.6.vir.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1320 Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
1320	Explorer.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

satan_1.0.0.6.vir.exesatan_1.0.0.6.vir.exerafi.exerafi.exeExplorer.EXEDwm.exe

description	pid	process	target process
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1424 wrote to memory of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 1488 wrote to memory of 912	1488	satan_1.0.0.6.vir.exe	rafi.exe
PID 1488 wrote to memory of 912	1488	satan_1.0.0.6.vir.exe	rafi.exe
PID 1488 wrote to memory of 912	1488	satan_1.0.0.6.vir.exe	rafi.exe
PID 1488 wrote to memory of 912	1488	satan_1.0.0.6.vir.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 912 wrote to memory of 740	912	rafi.exe	rafi.exe
PID 1488 wrote to memory of 292	1488	satan_1.0.0.6.vir.exe	cmd.exe
PID 1488 wrote to memory of 292	1488	satan_1.0.0.6.vir.exe	cmd.exe
PID 1488 wrote to memory of 292	1488	satan_1.0.0.6.vir.exe	cmd.exe
PID 1488 wrote to memory of 292	1488	satan_1.0.0.6.vir.exe	cmd.exe
PID 740 wrote to memory of 1176	740	rafi.exe	taskhost.exe
PID 740 wrote to memory of 1176	740	rafi.exe	taskhost.exe
PID 740 wrote to memory of 1176	740	rafi.exe	taskhost.exe
PID 740 wrote to memory of 1256	740	rafi.exe	Dwm.exe
PID 740 wrote to memory of 1256	740	rafi.exe	Dwm.exe
PID 740 wrote to memory of 1256	740	rafi.exe	Dwm.exe
PID 740 wrote to memory of 1320	740	rafi.exe	Explorer.EXE
PID 740 wrote to memory of 1320	740	rafi.exe	Explorer.EXE
PID 740 wrote to memory of 1320	740	rafi.exe	Explorer.EXE
PID 740 wrote to memory of 1100	740	rafi.exe	conhost.exe
PID 740 wrote to memory of 1100	740	rafi.exe	conhost.exe
PID 740 wrote to memory of 1100	740	rafi.exe	conhost.exe
PID 1320 wrote to memory of 1804	1320	Explorer.EXE	vssadmin.exe
PID 1320 wrote to memory of 1804	1320	Explorer.EXE	vssadmin.exe
PID 1320 wrote to memory of 1804	1320	Explorer.EXE	vssadmin.exe
PID 1256 wrote to memory of 740	1256	Dwm.exe	rafi.exe
PID 1256 wrote to memory of 740	1256	Dwm.exe	rafi.exe
PID 1256 wrote to memory of 740	1256	Dwm.exe	rafi.exe
PID 1256 wrote to memory of 1236	1256	Dwm.exe	DllHost.exe
PID 1256 wrote to memory of 1236	1256	Dwm.exe	DllHost.exe
PID 1256 wrote to memory of 1236	1256	Dwm.exe	DllHost.exe
PID 1256 wrote to memory of 1936	1256	Dwm.exe	DllHost.exe
PID 1256 wrote to memory of 1936	1256	Dwm.exe	DllHost.exe
PID 1256 wrote to memory of 1936	1256	Dwm.exe	DllHost.exe

Executes dropped EXE 2 IoCs

Processes:

rafi.exerafi.exe

pid process

912 rafi.exe
740 rafi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

292 cmd.exe

pid	process
912	rafi.exe
740	rafi.exe

pid	process
292	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

Processes:

Dwm.exeExplorer.EXEtaskhost.exerafi.exeDllHost.exeDllHost.exe

pid	process
1256	Dwm.exe
1256	Dwm.exe
1256	Dwm.exe
1320	Explorer.EXE
1320	Explorer.EXE
1320	Explorer.EXE
1320	Explorer.EXE
1176	taskhost.exe
1176	taskhost.exe
1176	taskhost.exe
1176	taskhost.exe
740	rafi.exe
740	rafi.exe
740	rafi.exe
1236	DllHost.exe
1236	DllHost.exe
1236	DllHost.exe
1936	DllHost.exe
1936	DllHost.exe
1936	DllHost.exe
740	rafi.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1320 Explorer.EXE
1320 Explorer.EXE
1320 Explorer.EXE
1320 Explorer.EXE
1320 Explorer.EXE
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1804 vssadmin.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

pid	process
1320	Explorer.EXE
1320	Explorer.EXE
1320	Explorer.EXE
1320	Explorer.EXE
1320	Explorer.EXE

pid	process
1804	vssadmin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 96 IoCs

Processes:

satan_1.0.0.6.vir.exerafi.exe

pid	process
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
1424	satan_1.0.0.6.vir.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe
912	rafi.exe

Loads dropped DLL 2 IoCs

Processes:

satan_1.0.0.6.vir.exe

pid process

1488 satan_1.0.0.6.vir.exe
1488 satan_1.0.0.6.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1644 vssvc.exe
Token: SeRestorePrivilege 1644 vssvc.exe
Token: SeAuditPrivilege 1644 vssvc.exe

pid	process
1488	satan_1.0.0.6.vir.exe
1488	satan_1.0.0.6.vir.exe

description	pid	process
Token: SeBackupPrivilege	1644	vssvc.exe
Token: SeRestorePrivilege	1644	vssvc.exe
Token: SeAuditPrivilege	1644	vssvc.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

satan_1.0.0.6.vir.exerafi.exe

description	pid	process	target process
PID 1424 set thread context of 1488	1424	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 912 set thread context of 740	912	rafi.exe	rafi.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1176

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1320

C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe
"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"
2⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1424

C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe
"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1488

C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe
"C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe"
4⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:912

C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe
"C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_a32aed68.bat"
4⤵
- Deletes itself
PID:292

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1699844881-738193331748808369717385504691404484-20130395-1945258830-102497171"
1⤵
PID:1100

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Deletion

2

T1107

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp_a32aed68.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe

Download Submit
\Users\Admin\AppData\Roaming\Yndofo\rafi.exe

Download Submit
\Users\Admin\AppData\Roaming\Yndofo\rafi.exe

Download Submit
memory/292-10-0x0000000000000000-mapping.dmp

Download
memory/740-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/740-9-0x0000000000401D30-mapping.dmp

Download
memory/740-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/740-15-0x0000000000401D30-mapping.dmp

Download
memory/912-5-0x0000000000000000-mapping.dmp

Download
memory/1488-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1488-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1488-1-0x0000000000401A8B-mapping.dmp

Download
memory/1804-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads