satancryptor | cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682

General

Target

cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
Size

142KB
MD5

4153cbc1f51bca54ba1e948a3653185b
SHA1

090e58b0b9ce144598b375c0c206289308535ef3
SHA256

cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682
SHA512

d1232323496022e2e48dfa372d9d3844ebd31a2390896bca3914d246666cc29a4019313acf23458c540baa07a261023adf46da5315d21ee0557a0b5eb406fb7f

Score

10^/10

satancryptor ransomware spyware stealer

Malware Config

Signatures

SatanCryptor
Golang ransomware first seen in early 2020.
ransomware satancryptor
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe

description	ioc	process
File opened (read-only)	\??\S:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\O:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\N:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\K:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\J:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\F:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\B:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\W:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\R:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\P:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\L:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\H:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\G:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\A:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\Y:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\V:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\U:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\T:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\Z:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\Q:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\M:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\I:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\E:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened (read-only)	\??\X:	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe

Drops file in Program Files directory 64 IoCs

Processes:

cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]es.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]mng.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]sl.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]cy.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]en.ttt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]ku-ckb.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]sa.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\[[email protected]]89.0.4389.114.manifest.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\[[email protected]]external_extensions.json.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]bn.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]ca.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]gu.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]kaa.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\[[email protected]]SmallLogo.png.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]cs.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]nb.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]es.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\[[email protected]]resources.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\[[email protected]]preloaded_data.pb.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\[[email protected]]7z.sfx.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]bg.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\[[email protected]]chrome_200_percent.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]da.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\[[email protected]]nacl_irt_x86_64.nexe.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]zh-TW.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]th.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]tr.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]hi.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]si.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]da.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]hr.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\[[email protected]]BlockTrace.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\[[email protected]]chrome.exe.sig.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]fr.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]va.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]sr-spc.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\[[email protected]]FindUnprotect.mhtml.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]de.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]vi.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]id.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]nn.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\[[email protected]]ClearCompress.csv.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\[[email protected]]CloseFormat.wax.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\[[email protected]]chrome_100_percent.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]hi.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]gu.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]pt-PT.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]sv.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]vi.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]uk.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]ky.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]ja.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]hu.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]is.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]lv.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]mn.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]yo.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]en-US.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]hy.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]kab.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\[[email protected]]chrome.dll.sig.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]]fi.pak.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]af.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]eo.txt.satan	cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe

C:\Users\Admin\AppData\Local\Temp\cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe
"C:\Users\Admin\AppData\Local\Temp\cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-130-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1108-131-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing