Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
satan.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
satan.exe
Resource
win10v2004-20240226-en
General
-
Target
satan.exe
-
Size
184KB
-
MD5
c9c341eaf04c89933ed28cbc2739d325
-
SHA1
c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
-
SHA256
1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
-
SHA512
7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b
-
SSDEEP
3072:H8SIBtQnE7OhssdWJ5jy392aCmCbBq0ryEbh/Wl7hqU6Q4NJ15xgDbvSY5thfRb3:c7qvhssdu5jyYaCmCQVE6hqUI5sb9Rb3
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 2924 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1532 yqsi.exe 2676 yqsi.exe -
Loads dropped DLL 3 IoCs
pid Process 2940 satan.exe 2940 satan.exe 1532 yqsi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\{694D36CF-F2D8-65F5-CC8A-D97C02965D68} = "C:\\Users\\Admin\\AppData\\Roaming\\Puehiv\\yqsi.exe" Explorer.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 2676 yqsi.exe 2676 yqsi.exe 2676 yqsi.exe 2676 yqsi.exe 2676 yqsi.exe 1932 WerFault.exe 1932 WerFault.exe 1932 WerFault.exe 1932 WerFault.exe 2316 Dwm.exe 2316 Dwm.exe 2316 Dwm.exe 2316 Dwm.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1624 set thread context of 2940 1624 satan.exe 28 PID 1532 set thread context of 2676 1532 yqsi.exe 32 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1444 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1624 satan.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 1532 yqsi.exe 2676 yqsi.exe 2676 yqsi.exe 2676 yqsi.exe 2676 yqsi.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2744 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeDebugPrivilege 2456 WerFault.exe Token: SeDebugPrivilege 2744 WerFault.exe Token: SeBackupPrivilege 1116 vssvc.exe Token: SeRestorePrivilege 1116 vssvc.exe Token: SeAuditPrivilege 1116 vssvc.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeDebugPrivilege 2764 WerFault.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 1624 wrote to memory of 2940 1624 satan.exe 28 PID 2940 wrote to memory of 1532 2940 satan.exe 29 PID 2940 wrote to memory of 1532 2940 satan.exe 29 PID 2940 wrote to memory of 1532 2940 satan.exe 29 PID 2940 wrote to memory of 1532 2940 satan.exe 29 PID 2940 wrote to memory of 2924 2940 satan.exe 30 PID 2940 wrote to memory of 2924 2940 satan.exe 30 PID 2940 wrote to memory of 2924 2940 satan.exe 30 PID 2940 wrote to memory of 2924 2940 satan.exe 30 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 1532 wrote to memory of 2676 1532 yqsi.exe 32 PID 2676 wrote to memory of 1092 2676 yqsi.exe 19 PID 2676 wrote to memory of 1092 2676 yqsi.exe 19 PID 2676 wrote to memory of 1092 2676 yqsi.exe 19 PID 2676 wrote to memory of 1168 2676 yqsi.exe 20 PID 2676 wrote to memory of 1168 2676 yqsi.exe 20 PID 1092 wrote to memory of 2744 1092 taskhost.exe 33 PID 1092 wrote to memory of 2744 1092 taskhost.exe 33 PID 1092 wrote to memory of 2744 1092 taskhost.exe 33 PID 2676 wrote to memory of 1168 2676 yqsi.exe 20 PID 2676 wrote to memory of 1200 2676 yqsi.exe 21 PID 2676 wrote to memory of 1200 2676 yqsi.exe 21 PID 1168 wrote to memory of 2456 1168 Dwm.exe 34 PID 1168 wrote to memory of 2456 1168 Dwm.exe 34 PID 1168 wrote to memory of 2456 1168 Dwm.exe 34 PID 2676 wrote to memory of 1200 2676 yqsi.exe 21 PID 2676 wrote to memory of 3020 2676 yqsi.exe 31 PID 2676 wrote to memory of 3020 2676 yqsi.exe 31 PID 2676 wrote to memory of 3020 2676 yqsi.exe 31 PID 1200 wrote to memory of 1444 1200 Explorer.EXE 35 PID 1200 wrote to memory of 1444 1200 Explorer.EXE 35 PID 1200 wrote to memory of 1444 1200 Explorer.EXE 35 PID 2676 wrote to memory of 2744 2676 yqsi.exe 33 PID 2676 wrote to memory of 2744 2676 yqsi.exe 33 PID 2676 wrote to memory of 2744 2676 yqsi.exe 33 PID 2676 wrote to memory of 2456 2676 yqsi.exe 34 PID 2676 wrote to memory of 2456 2676 yqsi.exe 34 PID 2676 wrote to memory of 2456 2676 yqsi.exe 34 PID 2676 wrote to memory of 1444 2676 yqsi.exe 35 PID 2676 wrote to memory of 1444 2676 yqsi.exe 35 PID 2676 wrote to memory of 1444 2676 yqsi.exe 35 PID 2676 wrote to memory of 1016 2676 yqsi.exe 36 PID 2676 wrote to memory of 1016 2676 yqsi.exe 36 PID 2676 wrote to memory of 1016 2676 yqsi.exe 36 PID 2676 wrote to memory of 1468 2676 yqsi.exe 37 PID 2676 wrote to memory of 1468 2676 yqsi.exe 37 PID 2456 wrote to memory of 2732 2456 WerFault.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1092 -s 2362⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2744 -s 2763⤵PID:836
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1168 -s 3122⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2456 -s 2723⤵PID:2732
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\satan.exe"C:\Users\Admin\AppData\Local\Temp\satan.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\satan.exe"C:\Users\Admin\AppData\Local\Temp\satan.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe"C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe"C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_d67b136a.bat"4⤵
- Deletes itself
PID:2924
-
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1444
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1017219433-765444425-19326936881640228321186086032-11013411571848656564-1728274869"1⤵PID:3020
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2049922866-1365135549-583211254-2059388654-20404874201636625487-1614964472-1692432138"1⤵PID:1016
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1468
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1468 -s 2322⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1932
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2316
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2912
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2912 -s 4482⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2680
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2680 -s 5602⤵PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD5eba6b6f806b2aedca250e80154119abe
SHA17d7bb6e34780bd841e17124bdd6112176b68f2d0
SHA256398e8d923c49164dff5579a23df54d376007259c994308b3151ce59da3060fc4
SHA512fcb2ce9f5f1301c8a9643bc0c7ce0f4199e26b901849aaafdb6bac49dea91f06c9f56b9cf1a356a4d554fe9c14f53ea82e06993b5bea5b42f2366a5d84db9fd0
-
Filesize
67KB
MD53a748fbd3d0e3e3d0ae3d041da5348bd
SHA1317801cb486061bc4c814721bea0843167f545dc
SHA256a5fd364590db6c17859daa087b76bca191d55069bd998512ea5ea7c3e0f731c4
SHA512806ff7bd932d53d50a58f94897201663d1bfa8c25f0d1d49f6d834acd0c46fe5922a4ca13bc845a5f1e03a6cecee4940807a8bd982d3f2e451fe2885ea14987d