Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
satan_1.0.0.6.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
satan_1.0.0.6.vir.exe
Resource
win10v200430
General
-
Target
satan_1.0.0.6.vir.exe
-
Size
186KB
-
MD5
b15b72290de91e819900fa1a5b44d149
-
SHA1
7182c6b1f970d882ef7e1c6c4608c43b80b6b381
-
SHA256
84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6
-
SHA512
1bc3225884abca71be1eb1cc1b16dc82fec8c657e0992957d93687e45e40e38aba701571f9f58ea7100b464ba2d64b0600548889c92826f17708eabc43822100
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Explorer.EXEnoyx.exepid process 2996 Explorer.EXE 2996 Explorer.EXE 2996 Explorer.EXE 2996 Explorer.EXE 3952 noyx.exe 3952 noyx.exe 3952 noyx.exe 3952 noyx.exe 3952 noyx.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Explorer.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 5c000000010000000400000000080000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f00740020004700320000005300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0620000000100000020000000cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f391d00000001000000100000007dc30bc974695560a2f0090a6545556c030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9C53DA81-9EDE-C490-ECC4-4CD8D7BF74D4} = "C:\\Users\\Admin\\AppData\\Roaming\\Icafhe\\noyx.exe" Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 192 IoCs
Processes:
satan_1.0.0.6.vir.exepid process 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe 3848 satan_1.0.0.6.vir.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
satan_1.0.0.6.vir.exesatan_1.0.0.6.vir.exenoyx.exenoyx.exeExplorer.EXEdescription pid process target process PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 3848 wrote to memory of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 964 wrote to memory of 504 964 satan_1.0.0.6.vir.exe noyx.exe PID 964 wrote to memory of 504 964 satan_1.0.0.6.vir.exe noyx.exe PID 964 wrote to memory of 636 964 satan_1.0.0.6.vir.exe cmd.exe PID 964 wrote to memory of 636 964 satan_1.0.0.6.vir.exe cmd.exe PID 964 wrote to memory of 636 964 satan_1.0.0.6.vir.exe cmd.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 504 wrote to memory of 3952 504 noyx.exe noyx.exe PID 3952 wrote to memory of 2756 3952 noyx.exe sihost.exe PID 3952 wrote to memory of 2756 3952 noyx.exe sihost.exe PID 3952 wrote to memory of 2756 3952 noyx.exe sihost.exe PID 3952 wrote to memory of 2788 3952 noyx.exe svchost.exe PID 3952 wrote to memory of 2788 3952 noyx.exe svchost.exe PID 3952 wrote to memory of 2788 3952 noyx.exe svchost.exe PID 3952 wrote to memory of 2860 3952 noyx.exe taskhostw.exe PID 3952 wrote to memory of 2860 3952 noyx.exe taskhostw.exe PID 3952 wrote to memory of 2860 3952 noyx.exe taskhostw.exe PID 3952 wrote to memory of 2996 3952 noyx.exe Explorer.EXE PID 3952 wrote to memory of 2996 3952 noyx.exe Explorer.EXE PID 3952 wrote to memory of 2996 3952 noyx.exe Explorer.EXE PID 3952 wrote to memory of 3180 3952 noyx.exe ShellExperienceHost.exe PID 3952 wrote to memory of 3180 3952 noyx.exe ShellExperienceHost.exe PID 3952 wrote to memory of 3180 3952 noyx.exe ShellExperienceHost.exe PID 3952 wrote to memory of 3212 3952 noyx.exe SearchUI.exe PID 3952 wrote to memory of 3212 3952 noyx.exe SearchUI.exe PID 3952 wrote to memory of 3212 3952 noyx.exe SearchUI.exe PID 3952 wrote to memory of 3460 3952 noyx.exe RuntimeBroker.exe PID 3952 wrote to memory of 3460 3952 noyx.exe RuntimeBroker.exe PID 3952 wrote to memory of 3460 3952 noyx.exe RuntimeBroker.exe PID 3952 wrote to memory of 3688 3952 noyx.exe DllHost.exe PID 3952 wrote to memory of 3688 3952 noyx.exe DllHost.exe PID 3952 wrote to memory of 3688 3952 noyx.exe DllHost.exe PID 3952 wrote to memory of 756 3952 noyx.exe Conhost.exe PID 3952 wrote to memory of 756 3952 noyx.exe Conhost.exe PID 3952 wrote to memory of 756 3952 noyx.exe Conhost.exe PID 2996 wrote to memory of 1760 2996 Explorer.EXE vssadmin.exe PID 2996 wrote to memory of 1760 2996 Explorer.EXE vssadmin.exe PID 2996 wrote to memory of 3952 2996 Explorer.EXE noyx.exe PID 2996 wrote to memory of 3952 2996 Explorer.EXE noyx.exe PID 2996 wrote to memory of 3952 2996 Explorer.EXE noyx.exe -
Executes dropped EXE 2 IoCs
Processes:
noyx.exenoyx.exepid process 504 noyx.exe 3952 noyx.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
satan_1.0.0.6.vir.exenoyx.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion satan_1.0.0.6.vir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion satan_1.0.0.6.vir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion noyx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion noyx.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1760 vssadmin.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
satan_1.0.0.6.vir.exenoyx.exedescription pid process target process PID 3848 set thread context of 964 3848 satan_1.0.0.6.vir.exe satan_1.0.0.6.vir.exe PID 504 set thread context of 3952 504 noyx.exe noyx.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
Explorer.EXEvssvc.exedescription pid process Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeBackupPrivilege 2208 vssvc.exe Token: SeRestorePrivilege 2208 vssvc.exe Token: SeAuditPrivilege 2208 vssvc.exe Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe"C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe"4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe"C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe"5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_f1a6e59d.bat"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp_f1a6e59d.bat
-
C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe
-
C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe
-
C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe
-
memory/504-3-0x0000000000000000-mapping.dmp
-
memory/636-6-0x0000000000000000-mapping.dmp
-
memory/964-0-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/964-2-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/964-1-0x0000000000401A8B-mapping.dmp
-
memory/1760-12-0x0000000000000000-mapping.dmp
-
memory/3952-7-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/3952-8-0x0000000000401D30-mapping.dmp
-
memory/3952-10-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB