Overview
overview
10Static
static
10084a818817...f2.exe
windows7-x64
10084a818817...f2.exe
windows10-2004-x64
1025f38c1ea9...bd.exe
windows7-x64
1025f38c1ea9...bd.exe
windows10-2004-x64
1065a67ae4ac...b4.jar
windows7-x64
165a67ae4ac...b4.jar
windows10-2004-x64
1d7ab78ce47...09.exe
windows7-x64
10d7ab78ce47...09.exe
windows10-2004-x64
10daff68b6fa...77.exe
windows7-x64
10daff68b6fa...77.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-03-2023 09:47
Behavioral task
behavioral1
Sample
084a81881745038f4fa7227b92aed4a0ad3603d1063cfc100f0adffbfc55eef2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
084a81881745038f4fa7227b92aed4a0ad3603d1063cfc100f0adffbfc55eef2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
65a67ae4ac7290dbdba5832de2128461f68d6b5f37321bc2c4f82087342728b4.jar
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
65a67ae4ac7290dbdba5832de2128461f68d6b5f37321bc2c4f82087342728b4.jar
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
d7ab78ce470e7e7f745d06f364a88c3e8b04cc649324380497d9faf4aa93c009.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
d7ab78ce470e7e7f745d06f364a88c3e8b04cc649324380497d9faf4aa93c009.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
Resource
win7-20230220-en
General
-
Target
25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe
-
Size
1.7MB
-
MD5
58d30af5992e33b351293b23ce97724f
-
SHA1
22e8cd9c08037ea925d57355c4ae142490688bb9
-
SHA256
25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd
-
SHA512
e3c5034f07d85a4cf4f3de8314fb332ebdab3ed5e6058340951bf3482cd03ee2ceb42817bc2fcb8d12c3a5becdb52896d7bd8ff72c8c978034626cc7fd93244d
-
SSDEEP
49152:BRoNt5F+/BocHmdgcmPH8fKr1HbYObrTTAj/unm0yJk:DoNt5E/BoC6gcCcfKtjfnvkk
Malware Config
Signatures
-
SatanCryptor
Golang ransomware first seen in early 2020.
-
Executes dropped EXE 1 IoCs
Processes:
Satan.exepid process 1488 Satan.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Satan.exedescription ioc process File opened (read-only) \??\O: Satan.exe File opened (read-only) \??\I: Satan.exe File opened (read-only) \??\H: Satan.exe File opened (read-only) \??\U: Satan.exe File opened (read-only) \??\R: Satan.exe File opened (read-only) \??\M: Satan.exe File opened (read-only) \??\G: Satan.exe File opened (read-only) \??\B: Satan.exe File opened (read-only) \??\Y: Satan.exe File opened (read-only) \??\S: Satan.exe File opened (read-only) \??\V: Satan.exe File opened (read-only) \??\T: Satan.exe File opened (read-only) \??\Q: Satan.exe File opened (read-only) \??\P: Satan.exe File opened (read-only) \??\N: Satan.exe File opened (read-only) \??\K: Satan.exe File opened (read-only) \??\Z: Satan.exe File opened (read-only) \??\X: Satan.exe File opened (read-only) \??\F: Satan.exe File opened (read-only) \??\E: Satan.exe File opened (read-only) \??\J: Satan.exe File opened (read-only) \??\A: Satan.exe File opened (read-only) \??\W: Satan.exe File opened (read-only) \??\L: Satan.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Satan.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]gu.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]sr-spl.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\[[email protected]]UserControl.zip.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\[[email protected]]EmptyDatabase.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\[[email protected]]7zCon.sfx.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]eu.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]AppConfig.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ar.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]de.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]fi.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]kab.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ku-ckb.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]sr-spc.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]Resource.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ug.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]AboutBox.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ms.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]fr.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ja.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ne.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]pt.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]sl.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\[[email protected]]History.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]mk.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ga.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]io.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]lv.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ps.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\[[email protected]]Explorer.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]nb.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]mn.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]TextFile.zip.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]Form.zip.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\[[email protected]]MDIParent.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ro.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]MDIParent.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ast.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]hi.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]vi.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\[[email protected]]Form.zip.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]XmlFile.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]az.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]bg.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]bn.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]nn.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]sv.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]uz.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]Visualizer.zip.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]AssemblyInfoInternal.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ext.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]ta.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]tt.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]AssemblyInfo.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]eo.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\[[email protected]]ResourceInternal.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]be.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]fa.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]lij.txt.satan Satan.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\[[email protected]]EmptyDatabase.zip.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]tr.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]pa-in.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]lt.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]an.txt.satan Satan.exe File opened for modification C:\Program Files\7-Zip\Lang\[[email protected]]gl.txt.satan Satan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exedescription pid process target process PID 2032 wrote to memory of 1488 2032 25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe Satan.exe PID 2032 wrote to memory of 1488 2032 25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe Satan.exe PID 2032 wrote to memory of 1488 2032 25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe Satan.exe PID 2032 wrote to memory of 1488 2032 25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe Satan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe"C:\Users\Admin\AppData\Local\Temp\25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Satan.exe"C:\Satan.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
PID:1488
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD51fedee59eb95756282cff2493da93689
SHA1dde1ee119b5c2e1facd22df44b7487f17f319c84
SHA256480e8c67f2354530c006380d4804f4bacb1016f0401f391303e3337be94fbb11
SHA512076c3b3ce6b96150e16daa5a49c0fd0762260d183c633d1fa58c9d48c38bfed914c9b69da0e7f5fe68d66edbec6706311dc3859e65d474f1495ce741297f0317