Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-04-2022 11:14
Behavioral task
behavioral1
Sample
2019-12-18.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2019-12-18.exe
Resource
win10v2004-20220414-en
General
-
Target
2019-12-18.exe
-
Size
1.8MB
-
MD5
057aad993a3ef50f6b3ca2db37cb928a
-
SHA1
a57592be641738c86c85308ef68148181249bc0b
-
SHA256
dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876
-
SHA512
87c89027d60f80e99c526584fa093620b3f099151170362424ad78f5e4d7184bd9f2d627ec8463ca202127835f435dd4f85bf2b0d9351593c688855f0bbaffbb
Malware Config
Signatures
-
SatanCryptor
Golang ransomware first seen in early 2020.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2019-12-18.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CompareSkip.tiff 2019-12-18.exe File opened for modification C:\Users\Admin\Pictures\ResolveReset.tiff 2019-12-18.exe File opened for modification C:\Users\Admin\Pictures\UpdateApprove.tiff 2019-12-18.exe -
Drops startup file 1 IoCs
Processes:
2019-12-18.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\# SATAN CRYPTOR #.hta 2019-12-18.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 28 IoCs
Processes:
2019-12-18.exedescription ioc process File opened for modification C:\Users\Admin\OneDrive\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\Music\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2019-12-18.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2019-12-18.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 extreme-ip-lookup.com -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 14 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2019-12-18.exedescription pid process target process PID 1220 wrote to memory of 2572 1220 2019-12-18.exe cmd.exe PID 1220 wrote to memory of 2572 1220 2019-12-18.exe cmd.exe PID 1220 wrote to memory of 2572 1220 2019-12-18.exe cmd.exe PID 1220 wrote to memory of 2488 1220 2019-12-18.exe cmd.exe PID 1220 wrote to memory of 2488 1220 2019-12-18.exe cmd.exe PID 1220 wrote to memory of 2488 1220 2019-12-18.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-12-18.exe"C:\Users\Admin\AppData\Local\Temp\2019-12-18.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\cmd.execmd /c ver2⤵PID:2572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\2019-12-18.exe2⤵PID:2488
-