Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
satan_1.0.0.6.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
satan_1.0.0.6.vir.exe
Resource
win10v200430
General
-
Target
satan_1.0.0.6.vir.exe
-
Size
186KB
-
MD5
b15b72290de91e819900fa1a5b44d149
-
SHA1
7182c6b1f970d882ef7e1c6c4608c43b80b6b381
-
SHA256
84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6
-
SHA512
1bc3225884abca71be1eb1cc1b16dc82fec8c657e0992957d93687e45e40e38aba701571f9f58ea7100b464ba2d64b0600548889c92826f17708eabc43822100
Malware Config
Signatures
-
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dwm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run Dwm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7A26B6E5-3134-D57A-47BA-9CB0B8D11DB7} = "C:\\Users\\Admin\\AppData\\Roaming\\Yndofo\\rafi.exe" Dwm.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
satan_1.0.0.6.vir.exerafi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion satan_1.0.0.6.vir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rafi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rafi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion satan_1.0.0.6.vir.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Looks for VMWare Tools registry key 2 TTPs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
satan_1.0.0.6.vir.exesatan_1.0.0.6.vir.exerafi.exerafi.exeExplorer.EXEDwm.exedescription pid process target process PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1424 wrote to memory of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 1488 wrote to memory of 912 1488 satan_1.0.0.6.vir.exe rafi.exe PID 1488 wrote to memory of 912 1488 satan_1.0.0.6.vir.exe rafi.exe PID 1488 wrote to memory of 912 1488 satan_1.0.0.6.vir.exe rafi.exe PID 1488 wrote to memory of 912 1488 satan_1.0.0.6.vir.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 912 wrote to memory of 740 912 rafi.exe rafi.exe PID 1488 wrote to memory of 292 1488 satan_1.0.0.6.vir.exe cmd.exe PID 1488 wrote to memory of 292 1488 satan_1.0.0.6.vir.exe cmd.exe PID 1488 wrote to memory of 292 1488 satan_1.0.0.6.vir.exe cmd.exe PID 1488 wrote to memory of 292 1488 satan_1.0.0.6.vir.exe cmd.exe PID 740 wrote to memory of 1176 740 rafi.exe taskhost.exe PID 740 wrote to memory of 1176 740 rafi.exe taskhost.exe PID 740 wrote to memory of 1176 740 rafi.exe taskhost.exe PID 740 wrote to memory of 1256 740 rafi.exe Dwm.exe PID 740 wrote to memory of 1256 740 rafi.exe Dwm.exe PID 740 wrote to memory of 1256 740 rafi.exe Dwm.exe PID 740 wrote to memory of 1320 740 rafi.exe Explorer.EXE PID 740 wrote to memory of 1320 740 rafi.exe Explorer.EXE PID 740 wrote to memory of 1320 740 rafi.exe Explorer.EXE PID 740 wrote to memory of 1100 740 rafi.exe conhost.exe PID 740 wrote to memory of 1100 740 rafi.exe conhost.exe PID 740 wrote to memory of 1100 740 rafi.exe conhost.exe PID 1320 wrote to memory of 1804 1320 Explorer.EXE vssadmin.exe PID 1320 wrote to memory of 1804 1320 Explorer.EXE vssadmin.exe PID 1320 wrote to memory of 1804 1320 Explorer.EXE vssadmin.exe PID 1256 wrote to memory of 740 1256 Dwm.exe rafi.exe PID 1256 wrote to memory of 740 1256 Dwm.exe rafi.exe PID 1256 wrote to memory of 740 1256 Dwm.exe rafi.exe PID 1256 wrote to memory of 1236 1256 Dwm.exe DllHost.exe PID 1256 wrote to memory of 1236 1256 Dwm.exe DllHost.exe PID 1256 wrote to memory of 1236 1256 Dwm.exe DllHost.exe PID 1256 wrote to memory of 1936 1256 Dwm.exe DllHost.exe PID 1256 wrote to memory of 1936 1256 Dwm.exe DllHost.exe PID 1256 wrote to memory of 1936 1256 Dwm.exe DllHost.exe -
Executes dropped EXE 2 IoCs
Processes:
rafi.exerafi.exepid process 912 rafi.exe 740 rafi.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 292 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
Dwm.exeExplorer.EXEtaskhost.exerafi.exeDllHost.exeDllHost.exepid process 1256 Dwm.exe 1256 Dwm.exe 1256 Dwm.exe 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE 1176 taskhost.exe 1176 taskhost.exe 1176 taskhost.exe 1176 taskhost.exe 740 rafi.exe 740 rafi.exe 740 rafi.exe 1236 DllHost.exe 1236 DllHost.exe 1236 DllHost.exe 1936 DllHost.exe 1936 DllHost.exe 1936 DllHost.exe 740 rafi.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1804 vssadmin.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 96 IoCs
Processes:
satan_1.0.0.6.vir.exerafi.exepid process 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 1424 satan_1.0.0.6.vir.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe 912 rafi.exe -
Loads dropped DLL 2 IoCs
Processes:
satan_1.0.0.6.vir.exepid process 1488 satan_1.0.0.6.vir.exe 1488 satan_1.0.0.6.vir.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1644 vssvc.exe Token: SeRestorePrivilege 1644 vssvc.exe Token: SeAuditPrivilege 1644 vssvc.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
satan_1.0.0.6.vir.exerafi.exedescription pid process target process PID 1424 set thread context of 1488 1424 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 912 set thread context of 740 912 rafi.exe rafi.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"2⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe"C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe"4⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe"C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe"5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_a32aed68.bat"4⤵
- Deletes itself
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1699844881-738193331748808369717385504691404484-20130395-1945258830-102497171"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp_a32aed68.bat
-
C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe
-
C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe
-
C:\Users\Admin\AppData\Roaming\Yndofo\rafi.exe
-
\Users\Admin\AppData\Roaming\Yndofo\rafi.exe
-
\Users\Admin\AppData\Roaming\Yndofo\rafi.exe
-
memory/292-10-0x0000000000000000-mapping.dmp
-
memory/740-8-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/740-9-0x0000000000401D30-mapping.dmp
-
memory/740-12-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/740-15-0x0000000000401D30-mapping.dmp
-
memory/912-5-0x0000000000000000-mapping.dmp
-
memory/1488-0-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1488-2-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1488-1-0x0000000000401A8B-mapping.dmp
-
memory/1804-14-0x0000000000000000-mapping.dmp