Malware Analysis Report

2024-10-19 07:13

Sample ID 240318-c856qafe6x
Target 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.bin.zip
SHA256 1352bb4e2f760e3c0a2d2a37e87991c4591fcf3484ef9a469abadb53f801a5dc
Tags
chaos evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1352bb4e2f760e3c0a2d2a37e87991c4591fcf3484ef9a469abadb53f801a5dc

Threat Level: Known bad

The file 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.bin.zip was found to be: Known bad.

Malicious Activity Summary

chaos evasion ransomware spyware stealer

Chaos family

Chaos

Chaos Ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Drops startup file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Interacts with shadow copies

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 02:45

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 02:45

Reported

2024-03-18 02:48

Platform

win7-20240221-en

Max time kernel

127s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warning C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SatanCE.url C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogfhvo9mi.jpg" C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 2760 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 2760 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 2700 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2784 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2784 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2784 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2784 wrote to memory of 108 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2784 wrote to memory of 108 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2784 wrote to memory of 108 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2700 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2300 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2300 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2300 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2300 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2300 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2300 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2700 wrote to memory of 624 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 624 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 624 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 624 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 624 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 624 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2700 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\system32\rundll32.exe
PID 2700 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\system32\rundll32.exe
PID 2700 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\system32\rundll32.exe
PID 1344 wrote to memory of 1664 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1344 wrote to memory of 1664 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1344 wrote to memory of 1664 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1344 wrote to memory of 1664 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe

"C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe"

C:\Users\Admin\AppData\Roaming\SatanCE.exe

"C:\Users\Admin\AppData\Roaming\SatanCE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Warning

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Warning"

Network

N/A

Files

memory/2760-0-0x0000000000050000-0x000000000008E000-memory.dmp

memory/2760-1-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SatanCE.exe

MD5 6c5819190ff74ba8dcaa64b57e1eb8f7
SHA1 7573ab29469e9d182f56d0b13c1dae41e9184526
SHA256 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22
SHA512 f9dcb598f6ebc883239280166e6e733fc81275372574ce1017c5e89c6970701b543dd0282569755a7882d7beb64142ccb5e3e252ad8126b914b44620106c346f

memory/2700-7-0x00000000000D0000-0x000000000010E000-memory.dmp

memory/2760-8-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/2700-9-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/2700-11-0x000000001B050000-0x000000001B0D0000-memory.dmp

C:\Users\Admin\Documents\Warning

MD5 c75b56f95828f12ebac6712cd64faefa
SHA1 3c5f44d61ef38a8707270adf1ddcde28dc9a25f6
SHA256 f6386967312097f6e26419438d6c5ff6d399d624f9099956a49e4e305417fdc2
SHA512 07f014a78c6b73fb7f0205a55cb390f525c7b622316b2adc32e8d3545ed9b052915cbfb5b1a7f4d498d279eb818143960f44b013e6152ef3304f5b9f3adaea56

memory/2700-463-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/2700-464-0x000000001B050000-0x000000001B0D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7b68fd355d67f0bc7a9515e96b68c3b5
SHA1 b85c198e4707891146916ce7b8c24f1b434e877e
SHA256 7879534505687f0d694e98c53ea51eb754def643f53cfe3a92367d162a741f41
SHA512 746aa8d0948196bfb2c67fe4975ad6ae19914fef6e50a1d0c3f16fbd3a775feff2a3fe5a059424ffe1653a2882fe063804f42bc7bc0b9d99040f8ab6e081eb0b

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 02:45

Reported

2024-03-18 02:48

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SatanCE.url C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warning C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hm47ud213.jpg" C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 940 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 940 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 3740 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 3740 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 3108 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3108 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3108 wrote to memory of 4856 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3108 wrote to memory of 4856 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3740 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 3740 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 1948 wrote to memory of 3584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1948 wrote to memory of 3584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1948 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1948 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3740 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 3740 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 3364 wrote to memory of 4980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3364 wrote to memory of 4980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe

"C:\Users\Admin\AppData\Local\Temp\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe"

C:\Users\Admin\AppData\Roaming\SatanCE.exe

"C:\Users\Admin\AppData\Roaming\SatanCE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 96.17.178.176:80 tcp

Files

memory/940-0-0x0000000000EE0000-0x0000000000F1E000-memory.dmp

memory/940-1-0x00007FF9F7000000-0x00007FF9F7AC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SatanCE.exe

MD5 6c5819190ff74ba8dcaa64b57e1eb8f7
SHA1 7573ab29469e9d182f56d0b13c1dae41e9184526
SHA256 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22
SHA512 f9dcb598f6ebc883239280166e6e733fc81275372574ce1017c5e89c6970701b543dd0282569755a7882d7beb64142ccb5e3e252ad8126b914b44620106c346f

memory/3740-14-0x00007FF9F7000000-0x00007FF9F7AC1000-memory.dmp

memory/940-15-0x00007FF9F7000000-0x00007FF9F7AC1000-memory.dmp

memory/3740-17-0x000000001B930000-0x000000001B940000-memory.dmp

C:\Users\Admin\Documents\Warning

MD5 c75b56f95828f12ebac6712cd64faefa
SHA1 3c5f44d61ef38a8707270adf1ddcde28dc9a25f6
SHA256 f6386967312097f6e26419438d6c5ff6d399d624f9099956a49e4e305417fdc2
SHA512 07f014a78c6b73fb7f0205a55cb390f525c7b622316b2adc32e8d3545ed9b052915cbfb5b1a7f4d498d279eb818143960f44b013e6152ef3304f5b9f3adaea56

memory/3740-476-0x00007FF9F7000000-0x00007FF9F7AC1000-memory.dmp