File name:

satanC2.exe

Full analysis: https://app.any.run/tasks/e219a6f4-05e5-47ab-a9a4-fe2b99d967a9
Verdict: Malicious activity
Analysis date: September 10, 2024, 13:33:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

6C63E2D2B1D9CEB7FD822E0627BB5DF4

SHA1:

BAF3E78639A8A835E77A591F19516FA461AF656B

SHA256:

CD423D772A1F7BD99D83BC09611BE2317A83C50BBC0D4212A5D0900FC8ED5A05

SSDEEP:

98304:lXE5BKsuDOXScbtnbGd49IRQJ+FgLHIcctvQ4qUmbJ7E8coKSTdB9kUp5JU5XjAB:mf/1T82YqzQ0rKVTMG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • satanC2.exe (PID: 5712)

    • Process drops legitimate windows executable

      • satanC2.exe (PID: 5712)

    • Executable content was dropped or overwritten

      • satanC2.exe (PID: 5712)

    • Process drops python dynamic module

      • satanC2.exe (PID: 5712)

    • The process drops C-runtime libraries

      • satanC2.exe (PID: 5712)

    • Loads Python modules

      • satanC2.exe (PID: 5544)

  • INFO

    • Reads the computer name

      • satanC2.exe (PID: 5712)

    • Checks supported languages

      • satanC2.exe (PID: 5712)
      • satanC2.exe (PID: 5544)

    • Create files in a temporary directory

      • satanC2.exe (PID: 5712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:11:03 18:29:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.34
CodeSize: 166400
InitializedDataSize: 152576
UninitializedDataSize: -
EntryPoint: 0xa6a0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start satanc2.exe conhost.exe no specs satanc2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5544"C:\Users\admin\Desktop\satanC2.exe" C:\Users\admin\Desktop\satanC2.exesatanC2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\satanc2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5712"C:\Users\admin\Desktop\satanC2.exe" C:\Users\admin\Desktop\satanC2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\satanc2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesatanC2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
217
Read events
217
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
1
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:A5D19084230A0A3CC3D8B28DD9105C30
SHA256:6439C3B78EE318397BB2EE2729A914826F9E58C8DEC456CE74BC8CEA1C41D060
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_hashlib.pydexecutable
MD5:4255C44DC64F11F32C961BF275AAB3A2
SHA256:E557873D5AD59FD6BD29D0F801AD0651DBB8D9AC21545DEFE508089E92A15E29
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_socket.pydexecutable
MD5:1EEA9568D6FDEF29B9963783827F5867
SHA256:74181072392A3727049EA3681FE9E59516373809CED53E08F6DA7C496B76E117
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_lzma.pydexecutable
MD5:E5ABC3A72996F8FDE0BCF709E6577D9D
SHA256:1796038480754A680F33A4E37C8B5673CC86C49281A287DC0C5CAE984D0CB4BB
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_queue.pydexecutable
MD5:F00133F7758627A15F2D98C034CF1657
SHA256:35609869EDC57D806925EC52CCA9BC5A035E30D5F40549647D4DA6D7983F8659
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_ssl.pydexecutable
MD5:208B0108172E59542260934A2E7CFA85
SHA256:5160500474EC95D4F3AF7E467CC70CB37BEC1D12545F0299AAB6D69CEA106C69
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_ctypes.pydexecutable
MD5:BD36F7D64660D120C6FB98C8F536D369
SHA256:EE543453AC1A2B9B52E80DC66207D3767012CA24CE2B44206804767F37443902
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\VCRUNTIME140.dllexecutable
MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
SHA256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_decimal.pydexecutable
MD5:65B4AB77D6C6231C145D3E20E7073F51
SHA256:93EB9D1859EDCA1C29594491863BF3D72AF70B9A4240E0D9DD171F668F4F8614
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_overlapped.pydexecutable
MD5:E5ACEAF21E82253E300C0B78793887A8
SHA256:D950342686C959056FF43C9E5127554760FA20669D97166927DD6AAE5494E02A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
16
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6112
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1356
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1356
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
satanC2.exe