Overview

overview

10

Static

static

10

HEUR-Troja...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe

  • Size

    4.7MB

  • MD5

    d2654d7085cfa021953f9a42c8057bba

  • SHA1

    e86ad4024e568938ca94454f00d04a9303f5f7af

  • SHA256

    41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf

  • SHA512

    2767f4ab916d58a0700d1df4933f6b8edb7d6e54ec9920a6b228ae1c130563942dbf4828e7ca9066fa71f1f195047a3b78a38e63ef67a0d8232f1599d4f00ea3

  • SSDEEP

    98304:uvPbS1fekFplWVo9BvKg8MU9d0IK418OHcX:uvO1jUVB0IK4u

Score
10/10
satancryptorcredential_accessdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\# M0rphine Help #.hta

Ransom Note
<html> <head> <title>M0rphine</title> <HTA:APPLICATION ID="" APPLICATIONNAME="" BORDER="DIALOG" MAXIMIZEBUTTON="NO" SCROLLFLAT="YES" CAPTION="YES" SELECTION="NO" INNERBORDER="NO" ICON="" SCROLL="NO" SHOWINTASKBAR="YES" SINGLEINSTANCE="YES" SYSMENU="YES" WINDOWSTATE="NORMAL" /> </head> <script language=javascript> var winWidth = 800; var winHeight = 600; window.resizeTo(winWidth, winHeight); window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2); </script> <body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'"> <div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div> <br> <div style="padding:15px" id="SubTittle"> Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible! <br> <br> To decrypt your files you need to buy the special software - <strong>M0rphine Decryptor</strong> and your <strong>Private Decryption Key</strong>. <br> <br> Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. <br> <br> If you want to restore files, write us to the our e-mail: <strong>[email protected]</strong> <br> <br> Please write your <strong>Personal Identification Code</strong> in body of your message. <br> <br> Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content) <br> <br> It is in your interest to respond as soon as possible to ensure the restoration of your files! <br> <br> Your <strong>Personal Identification Code</strong>: </div> <center> <textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019B040000EFC91B74EE16ABF884C0A14BE799D344D22293CC7B2EB1B6853E9AAB1AF4DBFEF679644CCD73AF00C2DD968EBFB0672FB886543A910F6256BC62FBC7C6C1ABBC97BDAB339F58F4E12AD9124B58277BCB91EF6501AFE5BC7BAF95C47E0B55B8AC4924FCE407C0DFD3AF87E316BF5513D7965418311553DF316D1C030996F2AA007F61EF1135068E0E6367A2B6FAB797B1493179C221A77D7D2254DA94A0A9D5F3592C86B094FF2326BA14EAF013F6D5CAB2F973F8550AC461E8D6E617CF15034F13541C35A04F7C8770D9F76AD9FA560883888E53024237AB0027173ACFC9FAD44295C1A0D354FAAA9B21FE4B6C337F9A8A9AA7117D62E70FF3CFF310D227163B95D1E00F8C89591F55DD286C627487D3FC5D9877CBA305D8984B73488264812F424A42B494F0B00A394B5E7E86E3C3DCB1C10B987C8BD56720F6981D61CD7DC7BF7CCA53EEF308ACE24922DFC10F6CABCFA6813D9B86E027F8E95974DBE87203C863233A7E845E8FE968056D12DCE0CAEDE1D3951274F6B41612E5FB3A7D1BB0E1D39F6D808219A7CD254FD93056C30645E6D5394A19365660A3269A2F3CE4D76F36BDC4C782E8423594D0DAFBA4C562C6B3AF90A8CAF72A9725E464DC01E2F090DE5AE78FFDE5C26E46FC42510F71FCF5E20AE6538686F433AFB70341CD412F9813980D187B28AE72350892ED837BDCEA5886750BF5BB1A5FC2F55B47813C432A39707A098C6D4277A26603BCD314961BE69DB5B73108508BDAB93ACC33A0DFAB9BC52BEDFA521144FC156E61B00F1393614B47E16FAC3B56FA64D323B58902842F77264319EDFBFDBEA0EEC487D1A398FE854AEBF723948DAD3D9DF383133E444F97E4EBC535DFABFE4EBA326A421CC1E4334D6310AE68CF46BA399210938257FC4F67902B8AF3CCE4DF2F55E5F4594803BEDDA86099F4B104937562DB731895928B46F5E37A4F3E061303EE32EBACE4D6FA82BB39301D937BE39ACBACFA3823DE5C5136D5A11A923A65FBECC28B45A49B789526E6F68CA4A049E792601D72ED7265AF4388071230143C5A6D782B30186CA7BDEA95859083E7405CA6F550D289BDF795FD210A584C9767443BAEA2ABE0887346B5707CEC801635D162AD1DD8AA0C7CEEB3FDDB88D6A36CC8EFD67E5908D7EF1A394780946C37E901C156775C006CD4AF00F7C3095DBE50E53EAE88A8C26A9FAA1D711EB427F2DD45A725B7D97418609414D0FC4A9324F0030D46451403C4DBE8332E726116A5E8492D698DF15E1C8031FAAE2A62669ED50B778C00C592C1286A87F2698CA7D3E037D355B080F87770F95E275E77041C7D458C82BFC2F10613AF814BDC5EF5E124D5417B43BC0F9D688E07BE61ABF9E933FC3A069DFD55BAD45BBF2B8691CB67885D00770C4FB114F1E06CA9CFD552E613611A297BF998DA5A9DE3A55A128093AF126DE08A84152600DBB1AC00B5D802C90EAE86DBF2EC1A2D8F31F301CAA3C4B85762D106A96DDF7A3C43037D092B8D9EBFFAD7405711E14011D349EE941E699CA2AF7203E8CB5C12017EF3DDC1ECE92589E068F0BE69F6130C7941F7BDA89675A9ED0C9D5B41FA269A230A9AE7D76D8546704572E04930627C2E1230AADCAFA56B2C32727823B9105CA0FCFEBC14F0A6EC8F4267AF03FA11BEEC14FCBD7B5B4C3B3CA855485C984FAD040000</textarea> </center> </body>
Emails

<strong>[email protected]</strong>

Signatures

  • SatanCryptor

    Golang ransomware first seen in early 2020.

    ransomwaresatancryptor
  • Satancryptor family
    satancryptor
  • Renames multiple (2197) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 28 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5616
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1392
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Adobe\# M0rphine Help #.hta
    Filesize

    4KB

    MD5

    5635280e8d58ce70608bda849587d4ac

    SHA1

    8e7031b50b3ae8e7f8d7aa5eea02bd8a79df765a

    SHA256

    0423d0beb8264a24448b5243be4c68601813ab963909fd9b2d08004fe2cdde8a

    SHA512

    b23be3b6ba3216fc387344ae2b3f803db36c7a54822de41f4b349e068dc9707fa72ad496012c823f3bc15e7eed2a0beafe6845652624de340cf6eef8017b9088

    Download Submit