Overview

overview

9

Static

static

3

satan.exe

windows7-x64

9

satan.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    satan.exe

  • Size

    184KB

  • MD5

    c9c341eaf04c89933ed28cbc2739d325

  • SHA1

    c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

  • SHA256

    1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

  • SHA512

    7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

  • SSDEEP

    3072:H8SIBtQnE7OhssdWJ5jy392aCmCbBq0ryEbh/Wl7hqU6Q4NJ15xgDbvSY5thfRb3:c7qvhssdu5jyYaCmCQVE6hqUI5sb9Rb3

Score
9/10
defense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1488
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1172
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\satan.exe
      "C:\Users\Admin\AppData\Local\Temp\satan.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Users\Admin\AppData\Local\Temp\satan.exe
        "C:\Users\Admin\AppData\Local\Temp\satan.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Users\Admin\AppData\Roaming\Ogzuod\imak.exe
          "C:\Users\Admin\AppData\Roaming\Ogzuod\imak.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Users\Admin\AppData\Roaming\Ogzuod\imak.exe
            "C:\Users\Admin\AppData\Roaming\Ogzuod\imak.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2260
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_c4d77dac.bat"
          4⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2016
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:1656
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-1039509817968555902-2008950167-580571144028244717465770846487272551178158462"
      1⤵
        PID:2188
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2788
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
        1⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1412
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
        1⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1076
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
        1⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1752
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
        1⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2740
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
        1⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2800

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp_c4d77dac.bat
        Filesize

        190B

        MD5

        6cbc448269ca82be8bae4f6033e89dd8

        SHA1

        842a7f1fe4a3beeba1e14752c68d2ed479abe6b8

        SHA256

        5e956e6edac181ab5e579ba85ff18d6f1715e758009fcf5fac7dab7f3716f855

        SHA512

        a6fe9d92dc661fd2fa444a52e87dcd9cae818424edb3cf9f90ef072c3c97621642ec250f0ae9445e55d7f36bce8236044b5ffc2d1d15157f567f98dc5195e096

        Download Submit

      • \Users\Admin\AppData\Roaming\Ogzuod\imak.exe
        Filesize

        67KB

        MD5

        03b9de6c010b9cdff0f41fbbdcb8d2fe

        SHA1

        c5bbe39414169408fbaab352a9d7139c9ea8bcae

        SHA256

        dcdf173f38a8968f4017af44d02e9bc8b21ceff1a4caeb5bbc3c5441f53426e6

        SHA512

        20518ea344256806e5239ca8e2fb8858263aecba5d5c62bff2fc73d8c17a7ffbf06620272f3baefa0dc035cb3f0bc98766c137e1953463f477a1a9f7d1f1c5d3

        Download Submit

      • memory/1104-35-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1104-37-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1104-39-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1104-41-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1104-71-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1104-72-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1104-73-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1104-74-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1104-75-0x00000000001B0000-0x00000000001C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1172-48-0x0000000002010000-0x0000000002027000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1172-44-0x0000000002010000-0x0000000002027000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1172-46-0x0000000002010000-0x0000000002027000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1172-78-0x0000000002010000-0x0000000002027000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1172-76-0x0000000002010000-0x0000000002027000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1252-51-0x0000000002E70000-0x0000000002E87000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1252-53-0x0000000002E70000-0x0000000002E87000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1252-55-0x0000000002E70000-0x0000000002E87000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1656-70-0x0000000001F40000-0x0000000001F57000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1656-58-0x0000000001F40000-0x0000000001F57000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1656-60-0x0000000001F40000-0x0000000001F57000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1656-62-0x0000000001F40000-0x0000000001F57000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1980-15-0x00000000003B0000-0x00000000003CF000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1980-21-0x00000000008B0000-0x00000000008C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1980-17-0x0000000000660000-0x000000000078D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1980-19-0x0000000000A70000-0x0000000000B79000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1980-13-0x00000000004E0000-0x000000000057F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/1980-12-0x0000000000410000-0x00000000004D9000-memory.dmp

        Filesize

        804KB

        Download

      • memory/2188-69-0x0000000001D10000-0x0000000001D27000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2188-67-0x0000000001D10000-0x0000000001D27000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2188-65-0x0000000001D10000-0x0000000001D27000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2260-23-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2260-32-0x0000000002160000-0x0000000002269000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2260-28-0x0000000000240000-0x000000000025F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/2260-26-0x0000000000490000-0x0000000000559000-memory.dmp

        Filesize

        804KB

        Download

      • memory/2260-27-0x0000000000560000-0x00000000005FF000-memory.dmp

        Filesize

        636KB

        Download

      • memory/2260-118-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2260-29-0x00000000006E0000-0x000000000080D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2260-30-0x0000000000810000-0x0000000000881000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2260-34-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2260-33-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2260-31-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2688-2-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2688-0-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2688-3-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2688-18-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download