Malware Analysis Report

2025-01-22 18:57

Sample ID 240315-zklhqsda28
Target SATANA.exe
SHA256 2207f4926319896f1d5b1bf2acd6d0cda56dbc47131b5fd21a7d726ba6dfaa2d
Tags
upx gozi banker evasion isfb persistence trojan bootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2207f4926319896f1d5b1bf2acd6d0cda56dbc47131b5fd21a7d726ba6dfaa2d

Threat Level: Known bad

The file SATANA.exe was found to be: Known bad.

Malicious Activity Summary

upx gozi banker evasion isfb persistence trojan bootkit

Gozi

Drops file in Drivers directory

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Checks computer location settings

UPX packed file

Executes dropped EXE

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 20:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 20:46

Reported

2024-03-15 20:49

Platform

win7-20240221-en

Max time kernel

35s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SATANA.exe"

Signatures

Gozi

banker trojan gozi

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\675B.tmp\2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\675B.tmp\\2.exe" C:\Users\Admin\AppData\Local\Temp\675B.tmp\2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\tgar8e.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0" C:\Windows\system32\reg.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\675B.tmp\2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\SATANA.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\SATANA.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\SATANA.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\SATANA.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2172 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SATANA.exe

"C:\Users\Admin\AppData\Local\Temp\SATANA.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\675B.tmp\675C.bat C:\Users\Admin\AppData\Local\Temp\SATANA.exe"

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f

C:\Windows\system32\rundll32.exe

rundll32 user32, SwapMouseButton

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM taskmgr.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM notepad.exe /F

C:\Users\Admin\AppData\Local\Temp\675B.tmp\2.exe

2.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\675B.tmp\2.exe"

Network

N/A

Files

memory/2016-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\675B.tmp\675C.bat

MD5 1f7a5456ca38839ec9e112425e7fa747
SHA1 8019978db5a80de11bb32463aa7160bb4a4d6b8a
SHA256 f955addebe88273b07cd9db9484f6aaaff58bec7f06898f8cdf224fa8b9cecb6
SHA512 eb57e75f96b7c663af44015e4dca2d6d07d9fed0db609bb6bad790093d0cef69e30ea6bb31093dd505af82a873c7a12f4bfcebe6f68938728d30053fff7c0818

memory/2016-5-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\675B.tmp\2.exe

MD5 4bc20c24fbea4588741203c77126c7b3
SHA1 5f2d2fec4e1d7c752be551363743069d9a4e7510
SHA256 4cd2ce15d0752711a76118fba8046193a1847c85a3278410191c0a015b387be3
SHA512 3e508012250ad6115e49b059a7fc103274190be425403df7081aa3e4caf130b9fa685c3228cafb6a031c121acdd95d72c1f5180f42caea55213a7bd9de71b31f

memory/2016-11-0x0000000000400000-0x0000000000443000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 20:46

Reported

2024-03-15 20:49

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SATANA.exe"

Signatures

Gozi

banker trojan gozi

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\rteth.sys C:\Windows\system32\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SATANA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B72.tmp\2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1B72.tmp\\2.exe" C:\Users\Admin\AppData\Local\Temp\1B72.tmp\2.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1B72.tmp\2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\_iyiwy.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1B72.tmp\2.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B72.tmp\2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3792 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\SATANA.exe C:\Windows\system32\cmd.exe
PID 3792 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\SATANA.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 5024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 5024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2200 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SATANA.exe

"C:\Users\Admin\AppData\Local\Temp\SATANA.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1B72.tmp\1B93.bat C:\Users\Admin\AppData\Local\Temp\SATANA.exe"

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f

C:\Windows\system32\rundll32.exe

rundll32 user32, SwapMouseButton

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM taskmgr.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM notepad.exe /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1B72.tmp\2.exe

2.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\1B72.tmp\2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2056 -ip 2056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 524

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/3792-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B72.tmp\1B93.bat

MD5 1f7a5456ca38839ec9e112425e7fa747
SHA1 8019978db5a80de11bb32463aa7160bb4a4d6b8a
SHA256 f955addebe88273b07cd9db9484f6aaaff58bec7f06898f8cdf224fa8b9cecb6
SHA512 eb57e75f96b7c663af44015e4dca2d6d07d9fed0db609bb6bad790093d0cef69e30ea6bb31093dd505af82a873c7a12f4bfcebe6f68938728d30053fff7c0818

memory/3792-5-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B72.tmp\2.exe

MD5 4bc20c24fbea4588741203c77126c7b3
SHA1 5f2d2fec4e1d7c752be551363743069d9a4e7510
SHA256 4cd2ce15d0752711a76118fba8046193a1847c85a3278410191c0a015b387be3
SHA512 3e508012250ad6115e49b059a7fc103274190be425403df7081aa3e4caf130b9fa685c3228cafb6a031c121acdd95d72c1f5180f42caea55213a7bd9de71b31f

memory/3792-13-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2056-14-0x0000000000400000-0x000000000043B000-memory.dmp