595e2825095b12ddfba4ee6f98f4f6cb1ff1fbc37a3b3191b2fc203d486ba163

Analysis

max time kernel
1800s
max time network
1559s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

satan.exe
Size

184KB
MD5

c9c341eaf04c89933ed28cbc2739d325
SHA1

c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA256

1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA512

7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b
SSDEEP

3072:H8SIBtQnE7OhssdWJ5jy392aCmCbBq0ryEbh/Wl7hqU6Q4NJ15xgDbvSY5thfRb3:c7qvhssdu5jyYaCmCQVE6hqUI5sb9Rb3

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1208 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

obywa.exeobywa.exe

pid process

288 obywa.exe
2096 obywa.exe
Loads dropped DLL 3 IoCs

Processes:

satan.exeobywa.exe

pid process

2036 satan.exe
2036 satan.exe
288 obywa.exe

pid	process
1208	cmd.exe

pid	process
288	obywa.exe
2096	obywa.exe

pid	process
2036	satan.exe
2036	satan.exe
288	obywa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Dwm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7D33774F-F3FD-65F5-E5C7-D97C02965D68} = "C:\\Users\\Admin\\AppData\\Roaming\\Egimoq\\obywa.exe"	Dwm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

Dwm.exeExplorer.EXEobywa.exeWerFault.exe

pid	process
1188	Dwm.exe
1188	Dwm.exe
1188	Dwm.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
2096	obywa.exe
2096	obywa.exe
2096	obywa.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2096	obywa.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

satan.exeobywa.exe

description pid process target process

PID 2028 set thread context of 2036 2028 satan.exe satan.exe
PID 288 set thread context of 2096 288 obywa.exe obywa.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1448 vssadmin.exe

description	pid	process	target process
PID 2028 set thread context of 2036	2028	satan.exe	satan.exe
PID 288 set thread context of 2096	288	obywa.exe	obywa.exe

pid	process
1448	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

satan.exeobywa.exeobywa.exeWerFault.exeDwm.exe

pid	process
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
2028	satan.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
288	obywa.exe
2096	obywa.exe
2096	obywa.exe
2096	obywa.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
1188	Dwm.exe
1188	Dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

2724 WerFault.exe

pid	process
2724	WerFault.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

WerFault.exeExplorer.EXEvssvc.exe

description	pid	process
Token: SeDebugPrivilege	2724	WerFault.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeBackupPrivilege	2796	vssvc.exe
Token: SeRestorePrivilege	2796	vssvc.exe
Token: SeAuditPrivilege	2796	vssvc.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

satan.exesatan.exeobywa.exeobywa.exetaskhost.exeDllHost.exeExplorer.EXEDwm.exe

description	pid	process	target process
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2028 wrote to memory of 2036	2028	satan.exe	satan.exe
PID 2036 wrote to memory of 288	2036	satan.exe	obywa.exe
PID 2036 wrote to memory of 288	2036	satan.exe	obywa.exe
PID 2036 wrote to memory of 288	2036	satan.exe	obywa.exe
PID 2036 wrote to memory of 288	2036	satan.exe	obywa.exe
PID 2036 wrote to memory of 1208	2036	satan.exe	cmd.exe
PID 2036 wrote to memory of 1208	2036	satan.exe	cmd.exe
PID 2036 wrote to memory of 1208	2036	satan.exe	cmd.exe
PID 2036 wrote to memory of 1208	2036	satan.exe	cmd.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 288 wrote to memory of 2096	288	obywa.exe	obywa.exe
PID 2096 wrote to memory of 1108	2096	obywa.exe	taskhost.exe
PID 2096 wrote to memory of 1108	2096	obywa.exe	taskhost.exe
PID 2096 wrote to memory of 1108	2096	obywa.exe	taskhost.exe
PID 1108 wrote to memory of 2724	1108	taskhost.exe	WerFault.exe
PID 1108 wrote to memory of 2724	1108	taskhost.exe	WerFault.exe
PID 1108 wrote to memory of 2724	1108	taskhost.exe	WerFault.exe
PID 2096 wrote to memory of 1188	2096	obywa.exe	Dwm.exe
PID 2096 wrote to memory of 1188	2096	obywa.exe	Dwm.exe
PID 2096 wrote to memory of 1188	2096	obywa.exe	Dwm.exe
PID 2096 wrote to memory of 1220	2096	obywa.exe	Explorer.EXE
PID 2096 wrote to memory of 1220	2096	obywa.exe	Explorer.EXE
PID 2096 wrote to memory of 1220	2096	obywa.exe	Explorer.EXE
PID 2096 wrote to memory of 1976	2096	obywa.exe	DllHost.exe
PID 2096 wrote to memory of 1976	2096	obywa.exe	DllHost.exe
PID 2096 wrote to memory of 1976	2096	obywa.exe	DllHost.exe
PID 2096 wrote to memory of 2724	2096	obywa.exe	WerFault.exe
PID 2096 wrote to memory of 2724	2096	obywa.exe	WerFault.exe
PID 2096 wrote to memory of 2724	2096	obywa.exe	WerFault.exe
PID 1976 wrote to memory of 2472	1976	DllHost.exe	WerFault.exe
PID 1976 wrote to memory of 2472	1976	DllHost.exe	WerFault.exe
PID 1976 wrote to memory of 2472	1976	DllHost.exe	WerFault.exe
PID 1220 wrote to memory of 1448	1220	Explorer.EXE	vssadmin.exe
PID 1220 wrote to memory of 1448	1220	Explorer.EXE	vssadmin.exe
PID 1220 wrote to memory of 1448	1220	Explorer.EXE	vssadmin.exe
PID 1188 wrote to memory of 2096	1188	Dwm.exe	obywa.exe
PID 1188 wrote to memory of 2096	1188	Dwm.exe	obywa.exe
PID 1188 wrote to memory of 2096	1188	Dwm.exe	obywa.exe
PID 1188 wrote to memory of 2472	1188	Dwm.exe	WerFault.exe
PID 1188 wrote to memory of 2472	1188	Dwm.exe	WerFault.exe
PID 1188 wrote to memory of 2472	1188	Dwm.exe	WerFault.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1108 -s 124
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\satan.exe
"C:\Users\Admin\AppData\Local\Temp\satan.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\satan.exe
"C:\Users\Admin\AppData\Local\Temp\satan.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\Egimoq\obywa.exe
"C:\Users\Admin\AppData\Roaming\Egimoq\obywa.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\AppData\Roaming\Egimoq\obywa.exe
"C:\Users\Admin\AppData\Roaming\Egimoq\obywa.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_fa6ee8f4.bat"
4⤵
- Deletes itself
PID:1208

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1448

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1976 -s 408
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp_fa6ee8f4.bat

Filesize
190B

MD5
f4565b92515a14f998f5a4fbd5452ed2

SHA1
51678a94d628d49ff86f29f9f7d6fa42669d7fd4

SHA256
0509b22e3243fac87b925a49ea7cfdf53efae5d5d7ff1e2c6d193fa7d3deba07

SHA512
8ca128eb097032cd0eec6bad0d8b25b9bc917c6febd7f1791468010146b1e26b2b569761aa53193d8027531876a9043398224512995055fde6e202804dd6795c

Download Submit
C:\Users\Admin\AppData\Roaming\Egimoq\obywa.exe

Filesize
67KB

MD5
a141798c0a7767ad79e41c0d0a73f199

SHA1
23e18e6f3879b78139eccbca8725e436ca9aee80

SHA256
216d19e81f299adcc4788eb4dd18cbc568f1f64120948ac4cb3843e7ccf89723

SHA512
5dc4a252dc7451021d6f6c62fae3152e1ee64d29d6eb9184d22aefcf496f32ed495ae4a32b58aae50bfa3637a140c0b3236f5ec9ea2e05de18a811c8dbb2bd9a

Download Submit
memory/288-12-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/288-13-0x00000000004E0000-0x000000000057F000-memory.dmp

Filesize
636KB

Download
memory/288-14-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/288-15-0x0000000000660000-0x000000000078D000-memory.dmp

Filesize
1.2MB

Download
memory/288-17-0x0000000000A80000-0x0000000000B89000-memory.dmp

Filesize
1.0MB

Download
memory/288-20-0x0000000000790000-0x00000000007A7000-memory.dmp

Filesize
92KB

Download
memory/1108-38-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1108-41-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1108-34-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1108-36-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1188-49-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/1188-55-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/1188-45-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/1188-53-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/1188-44-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/1188-46-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/1188-51-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/1220-50-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1220-71-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1220-54-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1220-52-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1220-73-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1220-70-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1220-68-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1220-72-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1220-67-0x0000000002E20000-0x0000000002E37000-memory.dmp

Filesize
92KB

Download
memory/1976-60-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/1976-62-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/1976-58-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/2036-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2096-26-0x00000000004F0000-0x000000000058F000-memory.dmp

Filesize
636KB

Download
memory/2096-80-0x0000000003CB0000-0x0000000003CC7000-memory.dmp

Filesize
92KB

Download
memory/2096-27-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2096-97-0x0000000003CB0000-0x0000000003CC7000-memory.dmp

Filesize
92KB

Download
memory/2096-25-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/2096-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2096-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2096-29-0x00000000007A0000-0x0000000000811000-memory.dmp

Filesize
452KB

Download
memory/2096-33-0x0000000003BE0000-0x0000000003BF7000-memory.dmp

Filesize
92KB

Download
memory/2096-28-0x0000000000670000-0x000000000079D000-memory.dmp

Filesize
1.2MB

Download
memory/2096-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2096-76-0x0000000003CB0000-0x0000000003CC7000-memory.dmp

Filesize
92KB

Download
memory/2096-32-0x0000000002170000-0x0000000002279000-memory.dmp

Filesize
1.0MB

Download
memory/2096-77-0x0000000003CB0000-0x0000000003CC7000-memory.dmp

Filesize
92KB

Download
memory/2096-78-0x0000000003CB0000-0x0000000003CC7000-memory.dmp

Filesize
92KB

Download
memory/2472-91-0x0000000002290000-0x00000000022A7000-memory.dmp

Filesize
92KB

Download
memory/2724-69-0x00000000024A0000-0x00000000024B7000-memory.dmp

Filesize
92KB

Download
memory/2724-95-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2724-64-0x00000000024A0000-0x00000000024B7000-memory.dmp

Filesize
92KB

Download
memory/2724-66-0x00000000024A0000-0x00000000024B7000-memory.dmp

Filesize
92KB

Download
memory/2724-74-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2724-65-0x00000000024A0000-0x00000000024B7000-memory.dmp

Filesize
92KB

Download