General

  • Target

    satan_1.0.0.6.vir

  • Size

    186KB

  • Sample

    200719-qqms7j6ddx

  • MD5

    b15b72290de91e819900fa1a5b44d149

  • SHA1

    7182c6b1f970d882ef7e1c6c4608c43b80b6b381

  • SHA256

    84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6

  • SHA512

    1bc3225884abca71be1eb1cc1b16dc82fec8c657e0992957d93687e45e40e38aba701571f9f58ea7100b464ba2d64b0600548889c92826f17708eabc43822100

Malware Config

Targets

    • Target

      satan_1.0.0.6.vir

    • Size

      186KB

    • MD5

      b15b72290de91e819900fa1a5b44d149

    • SHA1

      7182c6b1f970d882ef7e1c6c4608c43b80b6b381

    • SHA256

      84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6

    • SHA512

      1bc3225884abca71be1eb1cc1b16dc82fec8c657e0992957d93687e45e40e38aba701571f9f58ea7100b464ba2d64b0600548889c92826f17708eabc43822100

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Modifies service

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

File Deletion

2
T1107

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

2
T1490

Tasks