Analysis
-
max time kernel
111s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-11-2020 02:35
General
-
Target
SATURN_RANSOM.bin.exe
-
Size
338KB
-
MD5
bbd4c2d2c72648c8f871b36261be23fd
-
SHA1
77c525e6b8a5760823ad6036e60b3fa244db8e42
-
SHA256
9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021
-
SHA512
38f2ff3b7ff6faa63ef0a3200e0dbb9e48e1d404a065f6919cb6d245699479896a42316f299c33c8cc068922934c64f8aa06c88b000d1676870c1d0c0f18e14a
Malware Config
Signatures
-
Ursnif RM3
A heavily modified version of Ursnif discovered in the wild.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.bin.exe"C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.bin.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs"2⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QQB5J2V0.txtMD5
cf9fbd8d0b51028171dee729653b6abf
SHA1fe0e1efd2d39d9cb858e3dbf4ad15bbb13ea34ed
SHA25656fc934e8983bbc00592f81f9950b3e403d3e653dd0652594681ae784ed5d6e6
SHA51212fd16e7ba7f8a72ed781e00a0538d405a1a173b737cda860edce864c31dd12badf9ff1877be0e310ab698e15ddeecbb2e1eb1b1e08357c2479772e810da4821
-
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.htmlMD5
81a5c46ac3078e69ee370e929c738602
SHA1404c83c60bf8c5c711be2e99286549c55fed3368
SHA256d6e6ad1b9a348ccab1255ccd894394aec921aa4ecbef55dec17cacdd8c5cd212
SHA5125850a41591a39a84360db47992e360a4f618a28e949e49576cbe10bc624110665d3b1c14f0cfeb9197f567d10cbbe0cedaa9a9a9c281c426b9733f1e9a0614d0
-
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txtMD5
f3d19c544c10a8337a7d9f7aef079a43
SHA1252612bbdbdbe790853fe560ce5ce8e1df5fcdc5
SHA256b660c9236f4d6d9b62eb04b40599e852f979dd3dbfd1d03e545a287fe8e5d32b
SHA512c5cd69e7134f6d587d0823f6e7f9e5ba6affd75f5398fcea96e299dfb57996234ba87abe4632b2de807a4b79bbafd1b1132ae55b18a815eb8c4112b48942fb1b
-
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbsMD5
23e0e8c821b40253c04d561a6d06e253
SHA15df1808c8485ad1d90f1431adfa2694dbb1ed693
SHA25654905816b33af2b53b2e127e0a7db664d126700b3fdd360894b9d924544f639a
SHA51287a57f1615db68d57381b1a8602c92e57e3a8bf447ed842f410e50efd13a7f7ba44998b00d5e54238f09cad24ffe59c3aa788c1390364c465c761f3da6a688e8
-
memory/440-3-0x0000000000000000-mapping.dmp
-
memory/1092-0-0x0000000000000000-mapping.dmp
-
memory/1136-4-0x0000000000000000-mapping.dmp
-
memory/1388-8-0x0000000000000000-mapping.dmp
-
memory/1592-5-0x0000000000000000-mapping.dmp
-
memory/1632-9-0x0000000000000000-mapping.dmp
-
memory/1752-11-0x0000000000000000-mapping.dmp
-
memory/1776-2-0x0000000000000000-mapping.dmp
-
memory/1948-10-0x000007FEF6790000-0x000007FEF6A0A000-memory.dmpFilesize
2.5MB
-
memory/1980-1-0x0000000000000000-mapping.dmp