Overview

overview

9

Static

static

3

satan.zip

windows7-x64

1

satan.zip

windows10-2004-x64

1

satan.exe

windows7-x64

9

satan.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    satan.zip

  • Size

    143KB

  • Sample

    240426-jxan1acc83

  • MD5

    d309e1391579364a758c67fafb3b6e8a

  • SHA1

    d36d77044dce9a03766fce192629e6d2bc2e8dd5

  • SHA256

    595e2825095b12ddfba4ee6f98f4f6cb1ff1fbc37a3b3191b2fc203d486ba163

  • SHA512

    b1c5af6894983c58564a2b3b63e36edf0a2e5f6e6ab5268030eaf3027326dc2a9fc31e449a7dd12078a0e878afa753872e309e0e16bb58997e7fd3b8c03aa6cb

  • SSDEEP

    3072:UFecUyHplrpGNQBSdtbrTUZDEsSubSSDfBM/KHGn7cf4zF5/7+:UFhU8pzjBSbUdPS9SDZIKHUj+

Score
9/10
persistenceransomware

Malware Config

Targets

    • Target

      satan.zip

    • Size

      143KB

    • MD5

      d309e1391579364a758c67fafb3b6e8a

    • SHA1

      d36d77044dce9a03766fce192629e6d2bc2e8dd5

    • SHA256

      595e2825095b12ddfba4ee6f98f4f6cb1ff1fbc37a3b3191b2fc203d486ba163

    • SHA512

      b1c5af6894983c58564a2b3b63e36edf0a2e5f6e6ab5268030eaf3027326dc2a9fc31e449a7dd12078a0e878afa753872e309e0e16bb58997e7fd3b8c03aa6cb

    • SSDEEP

      3072:UFecUyHplrpGNQBSdtbrTUZDEsSubSSDfBM/KHGn7cf4zF5/7+:UFhU8pzjBSbUdPS9SDZIKHUj+

    Score
    1/10
    behavioral1behavioral2

    • Target

      satan.bin

    • Size

      184KB

    • MD5

      c9c341eaf04c89933ed28cbc2739d325

    • SHA1

      c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

    • SHA256

      1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

    • SHA512

      7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

    • SSDEEP

      3072:H8SIBtQnE7OhssdWJ5jy392aCmCbBq0ryEbh/Wl7hqU6Q4NJ15xgDbvSY5thfRb3:c7qvhssdu5jyYaCmCQVE6hqUI5sb9Rb3

    Score
    9/10
    persistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks