Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1flhlscd32
Target satan.exe
SHA256 1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
Tags
persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

Threat Level: Likely malicious

The file satan.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence ransomware

Deletes shadow copies

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:35

Reported

2024-04-06 21:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Deletes shadow copies

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\{694D36CF-F2D8-65F5-CC8A-D97C02965D68} = "C:\\Users\\Admin\\AppData\\Roaming\\Puehiv\\yqsi.exe" C:\Windows\Explorer.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1624 set thread context of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1532 set thread context of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 1624 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Local\Temp\satan.exe
PID 2940 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 2940 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 2940 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 2940 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 2940 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\satan.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 1532 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe
PID 2676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\taskhost.exe
PID 2676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\taskhost.exe
PID 2676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\taskhost.exe
PID 2676 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\Dwm.exe
PID 2676 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\Dwm.exe
PID 1092 wrote to memory of 2744 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\WerFault.exe
PID 1092 wrote to memory of 2744 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\WerFault.exe
PID 1092 wrote to memory of 2744 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\WerFault.exe
PID 2676 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\Dwm.exe
PID 2676 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\Explorer.EXE
PID 2676 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 2456 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\WerFault.exe
PID 1168 wrote to memory of 2456 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\WerFault.exe
PID 1168 wrote to memory of 2456 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\WerFault.exe
PID 2676 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\Explorer.EXE
PID 2676 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\conhost.exe
PID 2676 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\conhost.exe
PID 2676 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\conhost.exe
PID 1200 wrote to memory of 1444 N/A C:\Windows\Explorer.EXE C:\Windows\System32\vssadmin.exe
PID 1200 wrote to memory of 1444 N/A C:\Windows\Explorer.EXE C:\Windows\System32\vssadmin.exe
PID 1200 wrote to memory of 1444 N/A C:\Windows\Explorer.EXE C:\Windows\System32\vssadmin.exe
PID 2676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\WerFault.exe
PID 2676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\WerFault.exe
PID 2676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\WerFault.exe
PID 2676 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\WerFault.exe
PID 2676 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\WerFault.exe
PID 2676 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\WerFault.exe
PID 2676 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\System32\vssadmin.exe
PID 2676 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\System32\vssadmin.exe
PID 2676 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\System32\vssadmin.exe
PID 2676 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\conhost.exe
PID 2676 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\conhost.exe
PID 2676 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\conhost.exe
PID 2676 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\DllHost.exe
PID 2676 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe C:\Windows\system32\DllHost.exe
PID 2456 wrote to memory of 2732 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\WerFault.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\satan.exe

"C:\Users\Admin\AppData\Local\Temp\satan.exe"

C:\Users\Admin\AppData\Local\Temp\satan.exe

"C:\Users\Admin\AppData\Local\Temp\satan.exe"

C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe

"C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_d67b136a.bat"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1017219433-765444425-19326936881640228321186086032-11013411571848656564-1728274869"

C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe

"C:\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1092 -s 236

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1168 -s 312

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2049922866-1365135549-583211254-2059388654-20404874201636625487-1614964472-1692432138"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2744 -s 276

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2456 -s 272

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1468 -s 232

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2912 -s 448

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2680 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 6pi3jrqjbssfh6gu.onion.pw udp
US 144.202.70.158:80 6pi3jrqjbssfh6gu.onion.pw tcp
US 144.202.70.158:443 6pi3jrqjbssfh6gu.onion.pw tcp
US 144.202.70.158:443 6pi3jrqjbssfh6gu.onion.pw tcp
US 144.202.70.158:443 6pi3jrqjbssfh6gu.onion.pw tcp
US 144.202.70.158:443 6pi3jrqjbssfh6gu.onion.pw tcp

Files

memory/2940-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2940-2-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2940-3-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Roaming\Puehiv\yqsi.exe

MD5 3a748fbd3d0e3e3d0ae3d041da5348bd
SHA1 317801cb486061bc4c814721bea0843167f545dc
SHA256 a5fd364590db6c17859daa087b76bca191d55069bd998512ea5ea7c3e0f731c4
SHA512 806ff7bd932d53d50a58f94897201663d1bfa8c25f0d1d49f6d834acd0c46fe5922a4ca13bc845a5f1e03a6cecee4940807a8bd982d3f2e451fe2885ea14987d

memory/1532-14-0x0000000000410000-0x00000000004AF000-memory.dmp

memory/1532-12-0x00000000002B0000-0x0000000000379000-memory.dmp

memory/2940-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1532-16-0x0000000000380000-0x000000000039F000-memory.dmp

memory/1532-18-0x0000000000B80000-0x0000000000C89000-memory.dmp

memory/1532-17-0x00000000006E0000-0x000000000080D000-memory.dmp

memory/1532-20-0x00000000005C0000-0x00000000005D7000-memory.dmp

memory/2676-22-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp_d67b136a.bat

MD5 eba6b6f806b2aedca250e80154119abe
SHA1 7d7bb6e34780bd841e17124bdd6112176b68f2d0
SHA256 398e8d923c49164dff5579a23df54d376007259c994308b3151ce59da3060fc4
SHA512 fcb2ce9f5f1301c8a9643bc0c7ce0f4199e26b901849aaafdb6bac49dea91f06c9f56b9cf1a356a4d554fe9c14f53ea82e06993b5bea5b42f2366a5d84db9fd0

memory/2676-27-0x00000000004F0000-0x000000000058F000-memory.dmp

memory/2676-28-0x00000000002B0000-0x00000000002CF000-memory.dmp

memory/2676-26-0x0000000000420000-0x00000000004E9000-memory.dmp

memory/2676-29-0x0000000000670000-0x000000000079D000-memory.dmp

memory/2676-30-0x00000000007A0000-0x0000000000811000-memory.dmp

memory/2676-31-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2676-32-0x0000000002150000-0x0000000002259000-memory.dmp

memory/2676-34-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

memory/1092-35-0x0000000001BC0000-0x0000000001BD7000-memory.dmp

memory/2676-33-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1092-37-0x0000000001BC0000-0x0000000001BD7000-memory.dmp

memory/1092-39-0x0000000001BC0000-0x0000000001BD7000-memory.dmp

memory/1092-41-0x0000000001BC0000-0x0000000001BD7000-memory.dmp

memory/1168-44-0x0000000001DB0000-0x0000000001DC7000-memory.dmp

memory/1168-46-0x0000000001DB0000-0x0000000001DC7000-memory.dmp

memory/1168-48-0x0000000001DB0000-0x0000000001DC7000-memory.dmp

memory/1200-50-0x0000000002B00000-0x0000000002B17000-memory.dmp

memory/1200-52-0x0000000002B00000-0x0000000002B17000-memory.dmp

memory/1200-51-0x0000000002B00000-0x0000000002B17000-memory.dmp

memory/3020-56-0x0000000000110000-0x0000000000127000-memory.dmp

memory/1200-57-0x0000000002B00000-0x0000000002B17000-memory.dmp

memory/1200-61-0x0000000002B00000-0x0000000002B17000-memory.dmp

memory/1200-63-0x0000000002B00000-0x0000000002B17000-memory.dmp

memory/3020-60-0x0000000000110000-0x0000000000127000-memory.dmp

memory/1200-59-0x0000000002B00000-0x0000000002B17000-memory.dmp

memory/3020-66-0x0000000000110000-0x0000000000127000-memory.dmp

memory/2744-67-0x0000000000530000-0x0000000000547000-memory.dmp

memory/2744-69-0x0000000000530000-0x0000000000547000-memory.dmp

memory/2744-71-0x0000000000530000-0x0000000000547000-memory.dmp

memory/2456-74-0x00000000001A0000-0x00000000001B7000-memory.dmp

memory/3020-64-0x0000000000110000-0x0000000000127000-memory.dmp

memory/2456-78-0x00000000001A0000-0x00000000001B7000-memory.dmp

memory/2456-76-0x00000000001A0000-0x00000000001B7000-memory.dmp

memory/3020-58-0x0000000000110000-0x0000000000127000-memory.dmp

memory/1200-55-0x0000000002B00000-0x0000000002B17000-memory.dmp

memory/1444-85-0x0000000000060000-0x0000000000077000-memory.dmp

memory/1016-91-0x0000000000110000-0x0000000000127000-memory.dmp

memory/2744-100-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/1444-105-0x0000000000060000-0x0000000000077000-memory.dmp

memory/1016-106-0x0000000000110000-0x0000000000127000-memory.dmp

memory/2676-115-0x0000000003EB0000-0x0000000003EC7000-memory.dmp

memory/1932-127-0x0000000002640000-0x0000000002657000-memory.dmp

memory/2676-137-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2316-139-0x0000000001AC0000-0x0000000001AD7000-memory.dmp

memory/2676-145-0x0000000003EB0000-0x0000000003EC7000-memory.dmp

memory/1932-146-0x0000000002640000-0x0000000002657000-memory.dmp

memory/2316-147-0x0000000001AC0000-0x0000000001AD7000-memory.dmp

memory/2764-175-0x00000000002A0000-0x00000000002B7000-memory.dmp

memory/2764-184-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/2764-187-0x00000000002A0000-0x00000000002B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:35

Reported

2024-04-06 21:38

Platform

win10v2004-20240226-en

Max time kernel

1s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\satan.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\satan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\satan.exe

"C:\Users\Admin\AppData\Local\Temp\satan.exe"

C:\Users\Admin\AppData\Local\Temp\satan.exe

"C:\Users\Admin\AppData\Local\Temp\satan.exe"

C:\Users\Admin\AppData\Roaming\Qigoy\xicyy.exe

"C:\Users\Admin\AppData\Roaming\Qigoy\xicyy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_f6414448.bat"

C:\Users\Admin\AppData\Roaming\Qigoy\xicyy.exe

"C:\Users\Admin\AppData\Roaming\Qigoy\xicyy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp

Files

memory/1544-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1544-2-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1544-3-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\Qigoy\xicyy.exe

MD5 98bcf6d5352b2bfcbb0f20d282b06f8f
SHA1 d36103010e02705567344b7af1cfdc827b044f79
SHA256 f6a78ed057a4f006cdff47c49decbc5ae4f684ac6bf3afdf4f19797eb1d60280
SHA512 8c68df047576cb6e82f25522c7c05c56ea6289369bf271194db6494dfcf79f89d8caa9c5f685f009d9704af32ba799f9abf133af06602d32c913ab8b36c97be7

memory/1972-11-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1544-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3740-16-0x0000000000620000-0x00000000008E9000-memory.dmp

memory/3740-14-0x0000000000560000-0x000000000061E000-memory.dmp

memory/1972-15-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3740-18-0x0000000000170000-0x0000000000200000-memory.dmp

memory/3740-20-0x00000000009C0000-0x0000000000B61000-memory.dmp

memory/1972-19-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3740-22-0x0000000000B70000-0x0000000000C1C000-memory.dmp

memory/2700-21-0x0000017071F40000-0x0000017071F57000-memory.dmp

memory/2840-23-0x000001B934750000-0x000001B934767000-memory.dmp

memory/3408-28-0x0000000002D10000-0x0000000002D27000-memory.dmp

memory/2636-27-0x000002808D010000-0x000002808D027000-memory.dmp

memory/3740-26-0x0000000000D20000-0x0000000000D42000-memory.dmp

memory/3408-35-0x0000000002D10000-0x0000000002D27000-memory.dmp

memory/3540-31-0x000001ED523D0000-0x000001ED523E7000-memory.dmp