File name:	3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe
Full analysis:	https://app.any.run/tasks/86f3a750-f4ce-4a18-bb62-89c81fdcbe4a
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	March 17, 2024, 04:15:19
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	6C5819190FF74BA8DCAA64B57E1EB8F7
SHA1:	7573AB29469E9D182F56D0B13C1DAE41E9184526
SHA256:	3488E674A734E33410A122472C102763EDB84B4184B10E041F9C774B9213BD22
SSDEEP:	3072:gdidr9K7pV1vA89WdQvDbTimSDJF2fww83Wrp77lmjZ3brbSgNXWJa2qli3TidAU:dr9qpVKQsJF2farzX1YTOyOZd

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:03:14 02:43:40+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	223232
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x3871e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	0.0.0.0
InternalName:	SatanCE.exe
LegalCopyright:
OriginalFileName:	SatanCE.exe
ProductVersion:	0.0.0.0
AssemblyVersion:	0.0.0.0


(PID) Process:	(6212) 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6212) 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6212) 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6212) 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6732) SatanCE.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6732) SatanCE.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6732) SatanCE.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6732) SatanCE.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5908) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5908) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Description
Operation:	write	Name:	FirmwareModified
Value: 1

PID	Process	Filename		Type
6732	SatanCE.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SatanCE.url		text
		MD5:26F22FCF4974A0C0AF8EF2D44BABE7DC	SHA256:3475356FE1DE358C15C07CAADAAD9395FE07DCADE0041750277240E388967545
6212	3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe	C:\Users\admin\AppData\Roaming\SatanCE.exe		executable
		MD5:6C5819190FF74BA8DCAA64B57E1EB8F7	SHA256:3488E674A734E33410A122472C102763EDB84B4184B10E041F9C774B9213BD22
6732	SatanCE.exe	C:\Users\admin\Desktop\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe.ll0w		text
		MD5:C852463582879DCFC88A6518D6221570	SHA256:6D87F8599B2115658C0FC1A197536F3CBDE9B170A91815BC6DA41B14F60B1DFC
6212	3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe.log		csv
		MD5:89E7F177B4D915F4928F903DC439DB5A	SHA256:879E73CE214845BF2331D435523648B503C092F7BC18E301934D5E13C8B767D9
6732	SatanCE.exe	C:\Users\admin\Desktop\3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe		text
		MD5:C852463582879DCFC88A6518D6221570	SHA256:6D87F8599B2115658C0FC1A197536F3CBDE9B170A91815BC6DA41B14F60B1DFC
6732	SatanCE.exe	C:\Users\admin\Desktop\desktop.ini.kptz		text
		MD5:22C19B4DB13E2E6D924B596AB06E818A	SHA256:B2098DD051612E70C5E39D8406C9881D52FFE5922D8F58168A6100D6251F6BAD
6732	SatanCE.exe	C:\Users\admin\Desktop\enjoyopportunities.jpg		text
		MD5:CD70A733873D84889F03AE93711714A6	SHA256:D8B6D43C9DF84E46B3D599BF5645667CD4C0625E71CA220BABF8217B398D594B
6732	SatanCE.exe	C:\Users\admin\Desktop\Warning		text
		MD5:C75B56F95828F12EBAC6712CD64FAEFA	SHA256:F6386967312097F6E26419438D6C5FF6D399D624F9099956A49E4E305417FDC2
6732	SatanCE.exe	C:\Users\admin\Desktop\desktop.ini		text
		MD5:22C19B4DB13E2E6D924B596AB06E818A	SHA256:B2098DD051612E70C5E39D8406C9881D52FFE5922D8F58168A6100D6251F6BAD
6732	SatanCE.exe	C:\Users\admin\Desktop\distributioncurrent.rtf		text
		MD5:2650CD2707115BE8A88C9D21D3F4C84E	SHA256:33B92530089B9AECF94BD8B6D8C7ADC244BC483EA08B540E3C4EB19DFE7B115B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3996	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
3996	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
3996	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
3996	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
1260	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	313 b	unknown
4292	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D	unknown	binary	471 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4828	svchost.exe	239.255.255.250:1900	—	—	—	unknown
3996	svchost.exe	20.190.159.73:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1280	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3996	svchost.exe	40.126.31.71:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3996	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1260	backgroundTaskHost.exe	95.101.23.43:443	—	Akamai International B.V.	AT	unknown
1280	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4292	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5236	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1260	backgroundTaskHost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

Domain	IP	Reputation
ocsp.digicert.com	192.229.221.95	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

Process	Message
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
wbadmin.exe	Invalid parameter passed to C runtime function.
notepad++.exe	ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: error while getting certificate informations

General Info

3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22.exe

6C5819190FF74BA8DCAA64B57E1EB8F7

7573AB29469E9D182F56D0B13C1DAE41E9184526

3488E674A734E33410A122472C102763EDB84B4184B10E041F9C774B9213BD22

3072:gdidr9K7pV1vA89WdQvDbTimSDJF2fww83Wrp77lmjZ3brbSgNXWJa2qli3TidAU:dr9qpVKQsJF2farzX1YTOyOZd

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Create files in the Startup directory

Steals credentials from Web Browsers

Renames files like ransomware

Deletes shadow copies

Using BCDEDIT.EXE to modify recovery options

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executable content was dropped or overwritten

Starts itself from another location

Write to the desktop.ini file (may be used to cloak folders)

Executes as Windows Service

Starts CMD.EXE for commands execution

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Process checks computer location settings

Manual execution by a user

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings