File name: | SATURN_RANSOM.exe |
Full analysis: | https://app.any.run/tasks/a190b9f9-a70d-404e-8255-cc428e182865 |
Verdict: | Malicious activity |
Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
Analysis date: | October 04, 2022, 21:47:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | BBD4C2D2C72648C8F871B36261BE23FD |
SHA1: | 77C525E6B8A5760823AD6036E60B3FA244DB8E42 |
SHA256: | 9E87F069DE22CEAC029A4AC56E6305D2DF54227E6B0F0B3ECAD52A01FBADE021 |
SSDEEP: | 6144:zUrigyvF8Q9fLglQ8t0qabFDfOdQ/LDA8H+wwaMZUUAOq+mwNf8fsS+:zUrigY8QBLg9t0qabFDGdQ/TlYiUQ+Vz |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2018-Feb-14 19:19:14 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 264 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2018-Feb-14 19:19:14 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 211962 | 211968 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60183 |
.rdata | 217088 | 72394 | 72704 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.5994 |
.data | 290816 | 51332 | 47616 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.03793 |
.rsrc | 344064 | 736 | 1024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.272 |
.reloc | 348160 | 11860 | 12288 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.52577 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.07176 | 640 | UNKNOWN | English - United States | RT_MANIFEST |
ADVAPI32.dll |
CRYPT32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2272 | "C:\Users\admin\Desktop\SATURN_RANSOM.exe" | C:\Users\admin\Desktop\SATURN_RANSOM.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2084 | "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet | C:\Windows\System32\cmd.exe | — | SATURN_RANSOM.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 4294967294 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1264 | vssadmin.exe delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3668 | wmic.exe shadowcopy delete | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1408 | bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Boot Configuration Data Editor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1440 | bcdedit /set {default} recoveryenabled no | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Boot Configuration Data Editor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3180 | wbadmin delete catalog -quiet | C:\Windows\system32\wbadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® BLB Backup Exit code: 4294967294 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4076 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\#DECRYPT_MY_FILES#.txt | C:\Windows\system32\NOTEPAD.EXE | — | SATURN_RANSOM.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2100 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\#DECRYPT_MY_FILES#.vbs" | C:\Windows\System32\WScript.exe | — | SATURN_RANSOM.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2152 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\#DECRYPT_MY_FILES#.html | C:\Program Files\Internet Explorer\iexplore.exe | SATURN_RANSOM.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
(PID) Process: | (2272) SATURN_RANSOM.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2272) SATURN_RANSOM.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2272) SATURN_RANSOM.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2272) SATURN_RANSOM.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2152) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (2152) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: 869790288 | |||
(PID) Process: | (2152) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30988347 | |||
(PID) Process: | (2152) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (2152) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30988347 | |||
(PID) Process: | (2100) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon |
Operation: | write | Name: | CLSID |
Value: {C9E37C15-DF92-4727-85D6-72E5EEB6995A} |
PID | Process | Filename | Type | |
---|---|---|---|---|
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.xml | binary | |
MD5:9334701D39A095C93097DF989A4890BA | SHA256:48B1C51E7A69DF171B709561D50F91919F3FEDF33133E476C975DF837FFC6675 | |||
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\#KEY-e340015603cf0fc144de5d2be9ca6d09.KEY | binary | |
MD5:2AAB60BE9FBC4E493F14B9D05852778A | SHA256:188DBECD85CC0D07FD9A70B11A28A9FDE8EDE984DA3AFD73532A02AC5887AF1B | |||
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\Setup.xml.saturn | binary | |
MD5:26C5F7351D0DB5EB580AA8B35B033549 | SHA256:3D3D26997EB803E56A49BB9C0E694B1FFA888F754C28CBAC9058E208BF9BBCDF | |||
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\#KEY-e340015603cf0fc144de5d2be9ca6d09.KEY | binary | |
MD5:57BF0C10ABCBCC6FAE87B171C393566B | SHA256:9B5AA389A5535F6D7720DE7F3FEC78B3E8C98828A9CEFFDD485F947E481D6BD8 | |||
2272 | SATURN_RANSOM.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zy4hsui.lnk | lnk | |
MD5:0BC50A1D32E9914236514DAAB7A9E619 | SHA256:0E61766A584D3610C51D19020C81A418C27697B12F6F099B33463F57F3ED3BE4 | |||
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\branding.xml | binary | |
MD5:C7C74A02F2A1DCB0FEAD461C61B6CAFB | SHA256:8169B30FD04646D01A75B4AFB5DE3736908CEF7DF5D3A0E571EDA2EEB5FAD2BC | |||
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml | binary | |
MD5:98BFBA18446770EF96A444369BCDF483 | SHA256:43154AC8817BA99AD1F9FABC2D3112F61605F8C0330347B578514723A3FF4F44 | |||
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\Setup.xml.79zo | binary | |
MD5:77E2411842D31F1F40C2488C48AD8D2C | SHA256:F7076EB87CDC97A7ED8E912AEF2919C05D234C5BDDE159D990FB89AEE528B147 | |||
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml.79zo | binary | |
MD5:33C269F456594071114F5D64E90DC238 | SHA256:159EFE1E4FE98D5E3971F990FBED3F0892CFA0EBDF9047A1FCDE3AB79D7E349C | |||
2272 | SATURN_RANSOM.exe | C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.xml.saturn | binary | |
MD5:9334701D39A095C93097DF989A4890BA | SHA256:48B1C51E7A69DF171B709561D50F91919F3FEDF33133E476C975DF837FFC6675 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2152 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
2152 | iexplore.exe | GET | 200 | 8.253.207.121:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6f58e75a79c3f146 | US | compressed | 4.70 Kb | whitelisted |
2152 | iexplore.exe | GET | 200 | 8.253.95.120:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d33a969621321c73 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2152 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2152 | iexplore.exe | 8.253.207.121:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
2152 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
2152 | iexplore.exe | 8.253.95.120:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
Domain | IP | Reputation |
---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |