satancryptor | dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876

General

Target

dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
Size

1.8MB
MD5

057aad993a3ef50f6b3ca2db37cb928a
SHA1

a57592be641738c86c85308ef68148181249bc0b
SHA256

dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876
SHA512

87c89027d60f80e99c526584fa093620b3f099151170362424ad78f5e4d7184bd9f2d627ec8463ca202127835f435dd4f85bf2b0d9351593c688855f0bbaffbb
SSDEEP

49152:BY/3BNLViG5jQWArXncSxhBfV7xLE1t+XgWJz5qtAj6R:BwgG5MWMX7h8+Uw

Score

10^/10

satancryptor zebrocy backdoor ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Adobe\# SATAN CRYPTOR #.hta

Ransom Note

<html> <head> <title>SATAN CRYPTOR</title> <HTA:APPLICATION ID="" APPLICATIONNAME="" BORDER="DIALOG" MAXIMIZEBUTTON="NO" SCROLLFLAT="YES" CAPTION="YES" SELECTION="NO" INNERBORDER="NO" ICON="" SCROLL="NO" SHOWINTASKBAR="YES" SINGLEINSTANCE="YES" SYSMENU="YES" WINDOWSTATE="NORMAL" /> </head> <script language=javascript> var winWidth = 800; var winHeight = 600; window.resizeTo(winWidth, winHeight); window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2); </script> <body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'"> <div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div> <br> <div style="padding:15px" id="SubTittle"> Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible! <br> <br> To decrypt your files you need to buy the special software - <strong>SATAN DECRYPTOR</strong> and your <strong>Private Decryption Key</strong>. <br> <br> Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. <br> <br> If you want to restore files, write us to the our e-mail: <strong>[email protected]</strong> <br> <br> Please write your <strong>Personal Identification Code</strong> in body of your message. <br> <br> Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content) <br> <br> It is in your interest to respond as soon as possible to ensure the restoration of your files! <br> <br> Your <strong>Personal Identification Code</strong>: </div> <center> <textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019B040000571301407960D46F1829A6B1A7A5F2F2C8857897D91FF38F83C9316CBC37A9C7492EE386842559C5CB53979DCCA809B2489B675295A6BB1FE42C1603B7392B923B1E11DF4A75AE5FFB6F69D66A0B13AED1C59A67C5E8A5EF3ABF7F0E7EF34A3F1E8D8A0AF510D1EB44694F6600A62D5FF866A95BB4B9EAB81183E60A185476BA3134C981F96302291322995C14CA552AB47A8882FCCFCC3FFEA9582DBD627782F4494A6AEBB1E20674D653EAEE9233EBD9D9EBE41F86B60DF3768D4678DD91868339A718F3E73C1FBC8EF32EDBCEBBC8894BFE5EB572C7566B92F3EE45624624F8555FD3721B0AF03E804D5BF079758B910591DE681EE851475DD5B9FDFDDCE4738C47E6913FF619AAB2E56B478D0EA797EE7EDB45E98EAC572D20BDB7392BD568B592F74DCF2FAF28078D5B766DE22406219B1E0DC09FE20A02B273D02B9AAE3F338F836C63BD86F708310D64AE1012A061F9A618611C1F39F749A9787C8FEB3E08926D0939C4A17474C50FDE4A4D4A42FD2ADFFF990D61C03750A9A68C4206814C694EDE4438ED21DC00E616EAA8A6D0FF44FC1BE3F6B4825C6D91C1F2B898D7E410B97F2A655D5409C55D03226E69B849F271F5D5EA930A5EBB2D56688BECE877DFB34C58DF9E5D97607F134346C3251823E7D5BC2D59295D7E3A52C4C9A30B2CB337217917C4957518D7CBAB9C1B5055FD8CF2E2754383D7A45634716F967F3DA41AA1FFCE9FF0A00445968ABF5A7E31AABBAA3F523047A9A322085BAF0F5C8DD4748495A21F6B69D22B5ECA131E856A2F5F901B38AF0CF3FC6356D98929FD3FB042B77600DCB67447AD1346BAFA3C18D284B264D7B9021ECD0297BA816DBF1A70CEA7148B6BBDFCA73A27CDDA80FBD5BF2D96E05800E04D26FB547CDC0B3624D05C7E5445B1D30F6DEA2C0AAC8230C8F211E0E27BF33EDDB0DDE60C3EBC17AA594B4B5680CCE57F59D979924E7B70EB861C0F6D6E6C01A2BF9E66730825E572CA38BD58E718C543C73FBEFFD05C154B5AD4493D99205C9CD4934C3808F05D1C6B595D1CF10FA5770547D2403C9B5882C6EB5FDBF690CC3AB52CC7F24EC436FAB94B8A6FB899F9C87F45ABA27B29FBBE62FCBCC195DD2943384AA84B8AD7DF385C42940F5EDE13F992F4E498C2B11A3442021C3ED94D016CA89104ECBAC59B0C4706A9C2E84F159B2171A0407C421CDED687B9315CBE3CF99072C969FF316E3C2984FE74AF0DD27F07350EF722E58332D6FB23D86A17B4E979D4A536F129692CE6670E03420AE63EA7A61A11A0DA3AB29D32E6CA28D4825F1BF430FF2965E7E6B3235E5A8348183BE2DED63A667E2482CFFC4A1A6691A270EF9A88E0DD838F023568BAA6CD6C9E748B03308420B16B562A0BD2293D1DF5193AC08D7DF7CAC4F32AFE9EAEDE9733A20870266D559061EC72799ECA09B58E0F2EB99DB7601C6272295ABE91CE00FDA7272A4364FC0A25C602CE56B7F0460B767FDB6AE038B485C4910AAA76D47A2EE4F0BC293F36A17EC1A9284695E1DAC4AEDB0306B3D453A3B2A3C090C53E9B0B836E86838C45AA16A56859AA22972D508547608F9EC0F6AF770309FA5C45C1C55722B859B97A42DFCF853A49B472E7ED5D4F767AD48D2BAB4A07431ECAFED6A46D4924906EDB2CE21A0BA49FE6F501A17212B6C7F19317AEFDEDAD040000</textarea> </center> </body>

Emails

<strong>[email protected]</strong>

Extracted

Family

zebrocy

C2

Windows XP Professional x64 Edition

Signatures

SatanCryptor
Golang ransomware first seen in early 2020.
ransomware satancryptor
Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2500-6378-0x0000000000400000-0x00000000008D5000-memory.dmp	Zebrocy
behavioral2/memory/2500-6379-0x0000000000400000-0x00000000008D5000-memory.dmp	Zebrocy
behavioral2/memory/2500-6381-0x0000000000400000-0x00000000008D5000-memory.dmp	Zebrocy

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2500-0-0x0000000000400000-0x00000000008D5000-memory.dmp	UPX
behavioral2/memory/2500-6378-0x0000000000400000-0x00000000008D5000-memory.dmp	UPX
behavioral2/memory/2500-6379-0x0000000000400000-0x00000000008D5000-memory.dmp	UPX
behavioral2/memory/2500-6381-0x0000000000400000-0x00000000008D5000-memory.dmp	UPX

Drops startup file 1 IoCs

Processes:

dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\# SATAN CRYPTOR #.hta	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2500-0-0x0000000000400000-0x00000000008D5000-memory.dmp	upx
behavioral2/memory/2500-6378-0x0000000000400000-0x00000000008D5000-memory.dmp	upx
behavioral2/memory/2500-6379-0x0000000000400000-0x00000000008D5000-memory.dmp	upx
behavioral2/memory/2500-6381-0x0000000000400000-0x00000000008D5000-memory.dmp	upx

Drops desktop.ini file(s) 28 IoCs

Processes:

dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Public\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 extreme-ip-lookup.com
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 20 Go-http-client/1.1

flow	ioc
19	extreme-ip-lookup.com

description	flow	ioc
HTTP User-Agent header	20	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe

description	pid	process	target process
PID 2500 wrote to memory of 808	2500	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe	cmd.exe
PID 2500 wrote to memory of 808	2500	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe	cmd.exe
PID 2500 wrote to memory of 808	2500	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe	cmd.exe
PID 2500 wrote to memory of 4888	2500	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe	cmd.exe
PID 2500 wrote to memory of 4888	2500	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe	cmd.exe
PID 2500 wrote to memory of 4888	2500	dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
"C:\Users\Admin\AppData\Local\Temp\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver
  2⤵
  PID:808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
  2⤵
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\# SATAN CRYPTOR #.hta

Filesize
4KB

MD5
2edca2ddd89e98f4cede3c2da8a3bda5

SHA1
e662b342a26ee83d51a5fb84491a7d59e08fdf76

SHA256
027e52f7f97969bf976c7af6fa4fafb684fe6d7164e15eca48114b60887688be

SHA512
4c895979fd366ef41467e616bfb60769a580d867a6cca3eaa90830a5bef4b6a398dc1b7e7278e40d840eb5ecfadd67e7f1a86f3d0309372183dd7046d7eb003a

Download Submit
memory/2500-0-0x0000000000400000-0x00000000008D5000-memory.dmp

Filesize
4.8MB

Download
memory/2500-6378-0x0000000000400000-0x00000000008D5000-memory.dmp

Filesize
4.8MB

Download
memory/2500-6379-0x0000000000400000-0x00000000008D5000-memory.dmp

Filesize
4.8MB

Download
memory/2500-6381-0x0000000000400000-0x00000000008D5000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads