General

  • Target

    satan_1.0.0.9.vir

  • Size

    189KB

  • Sample

    200719-fn6rjj7asx

  • MD5

    7f20b566c295cb058b55f69a49d0d83c

  • SHA1

    2f53999c8d41c62be58e4d067f18945edf4e1ff9

  • SHA256

    ed84a7185bd3decfe9104fa3f6dad24bb0a0ff27a1a792a05ef0f2b010bf7b9b

  • SHA512

    0d51a4aa18203e9ab34c3ee66a70109d70bd36a2a3ecfa36886d4463532f2121153250c10f230b1314b2c519b4f1d40d103ff590c5d076cc9730247878dd64c8

Malware Config

Targets

    • Target

      satan_1.0.0.9.vir

    • Size

      189KB

    • MD5

      7f20b566c295cb058b55f69a49d0d83c

    • SHA1

      2f53999c8d41c62be58e4d067f18945edf4e1ff9

    • SHA256

      ed84a7185bd3decfe9104fa3f6dad24bb0a0ff27a1a792a05ef0f2b010bf7b9b

    • SHA512

      0d51a4aa18203e9ab34c3ee66a70109d70bd36a2a3ecfa36886d4463532f2121153250c10f230b1314b2c519b4f1d40d103ff590c5d076cc9730247878dd64c8

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Modifies service

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

File Deletion

2
T1107

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

2
T1490

Tasks