satancryptor | b5ddb13a397596ff8ca1e6f3a3c3df5ba490486cbb33afedd1a5e7ff6e4ebec2

General

Target

25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe
Size

1.7MB
MD5

58d30af5992e33b351293b23ce97724f
SHA1

22e8cd9c08037ea925d57355c4ae142490688bb9
SHA256

25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd
SHA512

e3c5034f07d85a4cf4f3de8314fb332ebdab3ed5e6058340951bf3482cd03ee2ceb42817bc2fcb8d12c3a5becdb52896d7bd8ff72c8c978034626cc7fd93244d
SSDEEP

49152:BRoNt5F+/BocHmdgcmPH8fKr1HbYObrTTAj/unm0yJk:DoNt5E/BoC6gcCcfKtjfnvkk

Score

10^/10

satancryptor discovery ransomware spyware stealer

Malware Config

Signatures

SatanCryptor
Golang ransomware first seen in early 2020.
ransomware satancryptor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe

Executes dropped EXE 1 IoCs

Processes:

Satan.exe

pid process

1228 Satan.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

pid	process
1228	Satan.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Satan.exe

description	ioc	process
File opened (read-only)	\??\J:	Satan.exe
File opened (read-only)	\??\F:	Satan.exe
File opened (read-only)	\??\Z:	Satan.exe
File opened (read-only)	\??\U:	Satan.exe
File opened (read-only)	\??\K:	Satan.exe
File opened (read-only)	\??\P:	Satan.exe
File opened (read-only)	\??\O:	Satan.exe
File opened (read-only)	\??\H:	Satan.exe
File opened (read-only)	\??\W:	Satan.exe
File opened (read-only)	\??\T:	Satan.exe
File opened (read-only)	\??\R:	Satan.exe
File opened (read-only)	\??\N:	Satan.exe
File opened (read-only)	\??\L:	Satan.exe
File opened (read-only)	\??\I:	Satan.exe
File opened (read-only)	\??\G:	Satan.exe
File opened (read-only)	\??\Y:	Satan.exe
File opened (read-only)	\??\X:	Satan.exe
File opened (read-only)	\??\V:	Satan.exe
File opened (read-only)	\??\E:	Satan.exe
File opened (read-only)	\??\B:	Satan.exe
File opened (read-only)	\??\A:	Satan.exe
File opened (read-only)	\??\S:	Satan.exe
File opened (read-only)	\??\Q:	Satan.exe
File opened (read-only)	\??\M:	Satan.exe

Drops file in Program Files directory 64 IoCs

Processes:

Satan.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\[[email protected]]README.txt.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]MondoR_SubTrial-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]O365ProPlusEDUR_Subscription-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProjectStdCO365R_Subscription-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]PublisherR_Grace-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\[[email protected]]AppXManifestLoc.16.en-us.xml.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]HomeBusinessR_OEM_Perp3-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]MondoVL_MAK-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]O365SmallBusPremR_Subscription2-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\[[email protected]]AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]HomeStudent2019R_Grace-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]O365HomePremR_SubTest3-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProPlusR_OEM_Perp4-ul-phn.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProPlus2019VL_MAK_AE-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]O365HomePremR_Subscription3-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\[[email protected]]Century Schoolbook.xml.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]O365HomePremR_SubTrial3-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProPlus2019R_OEM_Perp6-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\[[email protected]]chrome.7z.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]HomeBusinessR_Retail3-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\[[email protected]]Grunge Texture.eftx.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]O365ProPlusEDUR_Subscription-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]VisioPro2019R_OEM_Perp-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]gu.txt.satan	Satan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]tr.txt.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\[[email protected]]Blue.xml.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]OneNoteR_Retail-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]Outlook2019R_Retail-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProPlusR_Trial-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]mr.txt.satan	Satan.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\[[email protected]]COPYRIGHT.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]HomeStudentVNextR_Retail-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]Outlook2019VL_KMS_Client_AE-ul.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]OutlookR_Retail-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProPlusR_Trial-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\[[email protected]]et.pak.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]AccessR_Retail-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]PublisherVL_MAK-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProjectStdR_Retail-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]PowerPointVL_MAK-ul-phn.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\[[email protected]]C2RManifest.office32ww.msi.16.x-none.xml.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]Excel2019VL_KMS_Client_AE-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\[[email protected]]THIRDPARTYLICENSEREADME-JAVAFX.txt.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\[[email protected]]AppXManifest.common.16.xml.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\[[email protected]]StartMenu_Win10.mp4.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]HomeStudentR_Trial-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProPlusR_Grace-ppd.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]PublisherR_Trial-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]ba.txt.satan	Satan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[[email protected]]ps.txt.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProjectStdR_OEM_Perp-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]O365ProPlusR_Subscription5-pl.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\[[email protected]]kn.pak.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]MondoVL_MAK-ul-phn.xrm-ms.satan	Satan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\[[email protected]]ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.satan	Satan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe

description	pid	process	target process
PID 2660 wrote to memory of 1228	2660	25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe	Satan.exe
PID 2660 wrote to memory of 1228	2660	25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe	Satan.exe
PID 2660 wrote to memory of 1228	2660	25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe	Satan.exe

C:\Users\Admin\AppData\Local\Temp\25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe
"C:\Users\Admin\AppData\Local\Temp\25f38c1ea9b72f30be7df57ee6c0a358de7c23d59c2a0dd5f9c8c787c863abbd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Satan.exe
  "C:\Satan.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Satan.exe

Filesize
143KB

MD5
1fedee59eb95756282cff2493da93689

SHA1
dde1ee119b5c2e1facd22df44b7487f17f319c84

SHA256
480e8c67f2354530c006380d4804f4bacb1016f0401f391303e3337be94fbb11

SHA512
076c3b3ce6b96150e16daa5a49c0fd0762260d183c633d1fa58c9d48c38bfed914c9b69da0e7f5fe68d66edbec6706311dc3859e65d474f1495ce741297f0317

Download Submit
C:\Satan.exe

Filesize
143KB

MD5
1fedee59eb95756282cff2493da93689

SHA1
dde1ee119b5c2e1facd22df44b7487f17f319c84

SHA256
480e8c67f2354530c006380d4804f4bacb1016f0401f391303e3337be94fbb11

SHA512
076c3b3ce6b96150e16daa5a49c0fd0762260d183c633d1fa58c9d48c38bfed914c9b69da0e7f5fe68d66edbec6706311dc3859e65d474f1495ce741297f0317

Download Submit
C:\Satan.exe

Filesize
143KB

MD5
1fedee59eb95756282cff2493da93689

SHA1
dde1ee119b5c2e1facd22df44b7487f17f319c84

SHA256
480e8c67f2354530c006380d4804f4bacb1016f0401f391303e3337be94fbb11

SHA512
076c3b3ce6b96150e16daa5a49c0fd0762260d183c633d1fa58c9d48c38bfed914c9b69da0e7f5fe68d66edbec6706311dc3859e65d474f1495ce741297f0317

Download Submit
memory/1228-2310-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-894-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-3783-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-3295-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-174-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-2801-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-1819-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-179-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-1385-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-167-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-406-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2660-1285-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-133-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-354-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-180-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-1767-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-178-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-2258-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-842-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-2749-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-175-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-3240-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-173-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-3686-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/2660-168-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads