84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6

General

Target

satan_1.0.0.6.vir.exe
Size

186KB
MD5

b15b72290de91e819900fa1a5b44d149
SHA1

7182c6b1f970d882ef7e1c6c4608c43b80b6b381
SHA256

84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6
SHA512

1bc3225884abca71be1eb1cc1b16dc82fec8c657e0992957d93687e45e40e38aba701571f9f58ea7100b464ba2d64b0600548889c92826f17708eabc43822100

Score

9^/10

persistence evasion ransomware

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

Explorer.EXEnoyx.exe

pid process

2996 Explorer.EXE
2996 Explorer.EXE
2996 Explorer.EXE
2996 Explorer.EXE
3952 noyx.exe
3952 noyx.exe
3952 noyx.exe
3952 noyx.exe
3952 noyx.exe

pid	process
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
3952	noyx.exe
3952	noyx.exe
3952	noyx.exe
3952	noyx.exe
3952	noyx.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	Explorer.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 5c000000010000000400000000080000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f00740020004700320000005300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0620000000100000020000000cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f391d00000001000000100000007dc30bc974695560a2f0090a6545556c030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	Explorer.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9C53DA81-9EDE-C490-ECC4-4CD8D7BF74D4} = "C:\\Users\\Admin\\AppData\\Roaming\\Icafhe\\noyx.exe"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 192 IoCs

Processes:

satan_1.0.0.6.vir.exe

pid	process
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe
3848	satan_1.0.0.6.vir.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

satan_1.0.0.6.vir.exesatan_1.0.0.6.vir.exenoyx.exenoyx.exeExplorer.EXE

description	pid	process	target process
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 3848 wrote to memory of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 964 wrote to memory of 504	964	satan_1.0.0.6.vir.exe	noyx.exe
PID 964 wrote to memory of 504	964	satan_1.0.0.6.vir.exe	noyx.exe
PID 964 wrote to memory of 636	964	satan_1.0.0.6.vir.exe	cmd.exe
PID 964 wrote to memory of 636	964	satan_1.0.0.6.vir.exe	cmd.exe
PID 964 wrote to memory of 636	964	satan_1.0.0.6.vir.exe	cmd.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 504 wrote to memory of 3952	504	noyx.exe	noyx.exe
PID 3952 wrote to memory of 2756	3952	noyx.exe	sihost.exe
PID 3952 wrote to memory of 2756	3952	noyx.exe	sihost.exe
PID 3952 wrote to memory of 2756	3952	noyx.exe	sihost.exe
PID 3952 wrote to memory of 2788	3952	noyx.exe	svchost.exe
PID 3952 wrote to memory of 2788	3952	noyx.exe	svchost.exe
PID 3952 wrote to memory of 2788	3952	noyx.exe	svchost.exe
PID 3952 wrote to memory of 2860	3952	noyx.exe	taskhostw.exe
PID 3952 wrote to memory of 2860	3952	noyx.exe	taskhostw.exe
PID 3952 wrote to memory of 2860	3952	noyx.exe	taskhostw.exe
PID 3952 wrote to memory of 2996	3952	noyx.exe	Explorer.EXE
PID 3952 wrote to memory of 2996	3952	noyx.exe	Explorer.EXE
PID 3952 wrote to memory of 2996	3952	noyx.exe	Explorer.EXE
PID 3952 wrote to memory of 3180	3952	noyx.exe	ShellExperienceHost.exe
PID 3952 wrote to memory of 3180	3952	noyx.exe	ShellExperienceHost.exe
PID 3952 wrote to memory of 3180	3952	noyx.exe	ShellExperienceHost.exe
PID 3952 wrote to memory of 3212	3952	noyx.exe	SearchUI.exe
PID 3952 wrote to memory of 3212	3952	noyx.exe	SearchUI.exe
PID 3952 wrote to memory of 3212	3952	noyx.exe	SearchUI.exe
PID 3952 wrote to memory of 3460	3952	noyx.exe	RuntimeBroker.exe
PID 3952 wrote to memory of 3460	3952	noyx.exe	RuntimeBroker.exe
PID 3952 wrote to memory of 3460	3952	noyx.exe	RuntimeBroker.exe
PID 3952 wrote to memory of 3688	3952	noyx.exe	DllHost.exe
PID 3952 wrote to memory of 3688	3952	noyx.exe	DllHost.exe
PID 3952 wrote to memory of 3688	3952	noyx.exe	DllHost.exe
PID 3952 wrote to memory of 756	3952	noyx.exe	Conhost.exe
PID 3952 wrote to memory of 756	3952	noyx.exe	Conhost.exe
PID 3952 wrote to memory of 756	3952	noyx.exe	Conhost.exe
PID 2996 wrote to memory of 1760	2996	Explorer.EXE	vssadmin.exe
PID 2996 wrote to memory of 1760	2996	Explorer.EXE	vssadmin.exe
PID 2996 wrote to memory of 3952	2996	Explorer.EXE	noyx.exe
PID 2996 wrote to memory of 3952	2996	Explorer.EXE	noyx.exe
PID 2996 wrote to memory of 3952	2996	Explorer.EXE	noyx.exe

Executes dropped EXE 2 IoCs

Processes:

noyx.exenoyx.exe

pid process

504 noyx.exe
3952 noyx.exe

pid	process
504	noyx.exe
3952	noyx.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

satan_1.0.0.6.vir.exenoyx.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	satan_1.0.0.6.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	satan_1.0.0.6.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	noyx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	noyx.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1760 vssadmin.exe

pid	process
1760	vssadmin.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

satan_1.0.0.6.vir.exenoyx.exe

description	pid	process	target process
PID 3848 set thread context of 964	3848	satan_1.0.0.6.vir.exe	satan_1.0.0.6.vir.exe
PID 504 set thread context of 3952	504	noyx.exe	noyx.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

Explorer.EXEvssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeBackupPrivilege	2208	vssvc.exe
Token: SeRestorePrivilege	2208	vssvc.exe
Token: SeAuditPrivilege	2208	vssvc.exe
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2788

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2860

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe
"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
PID:3848

C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe
"C:\Users\Admin\AppData\Local\Temp\satan_1.0.0.6.vir.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe
"C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
PID:504

C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe
"C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe"
5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_f1a6e59d.bat"
4⤵
PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:756

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1760

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3180

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3212

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

3

T1112

Virtualization/Sandbox Evasion

1

T1497

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp_f1a6e59d.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Icafhe\noyx.exe

Download Submit
memory/504-3-0x0000000000000000-mapping.dmp

Download
memory/636-6-0x0000000000000000-mapping.dmp

Download
memory/964-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/964-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/964-1-0x0000000000401A8B-mapping.dmp

Download
memory/1760-12-0x0000000000000000-mapping.dmp

Download
memory/3952-7-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3952-8-0x0000000000401D30-mapping.dmp

Download
memory/3952-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads