File name:

satanC2.exe

Full analysis: https://app.any.run/tasks/e219a6f4-05e5-47ab-a9a4-fe2b99d967a9
Verdict: Malicious activity
Analysis date: September 10, 2024, 13:33:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

6C63E2D2B1D9CEB7FD822E0627BB5DF4

SHA1:

BAF3E78639A8A835E77A591F19516FA461AF656B

SHA256:

CD423D772A1F7BD99D83BC09611BE2317A83C50BBC0D4212A5D0900FC8ED5A05

SSDEEP:

98304:lXE5BKsuDOXScbtnbGd49IRQJ+FgLHIcctvQ4qUmbJ7E8coKSTdB9kUp5JU5XjAB:mf/1T82YqzQ0rKVTMG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • satanC2.exe (PID: 5712)

    • Process drops python dynamic module

      • satanC2.exe (PID: 5712)

    • Loads Python modules

      • satanC2.exe (PID: 5544)

    • Process drops legitimate windows executable

      • satanC2.exe (PID: 5712)

    • Executable content was dropped or overwritten

      • satanC2.exe (PID: 5712)

    • Application launched itself

      • satanC2.exe (PID: 5712)

  • INFO

    • Reads the computer name

      • satanC2.exe (PID: 5712)

    • Create files in a temporary directory

      • satanC2.exe (PID: 5712)

    • Checks supported languages

      • satanC2.exe (PID: 5544)
      • satanC2.exe (PID: 5712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:11:03 18:29:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.34
CodeSize: 166400
InitializedDataSize: 152576
UninitializedDataSize: -
EntryPoint: 0xa6a0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start satanc2.exe conhost.exe no specs satanc2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5544"C:\Users\admin\Desktop\satanC2.exe" C:\Users\admin\Desktop\satanC2.exesatanC2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\satanc2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5712"C:\Users\admin\Desktop\satanC2.exe" C:\Users\admin\Desktop\satanC2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\satanc2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesatanC2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
217
Read events
217
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
1
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_cffi_backend.cp311-win_amd64.pydexecutable
MD5:FDE9A1D6590026A13E81712CD2F23522
SHA256:16ECCC4BAF6CF4AB72ACD53C72A1F2B04D952E07E385E9050A933E78074A7D5B
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\VCRUNTIME140.dllexecutable
MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
SHA256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_decimal.pydexecutable
MD5:65B4AB77D6C6231C145D3E20E7073F51
SHA256:93EB9D1859EDCA1C29594491863BF3D72AF70B9A4240E0D9DD171F668F4F8614
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_lzma.pydexecutable
MD5:E5ABC3A72996F8FDE0BCF709E6577D9D
SHA256:1796038480754A680F33A4E37C8B5673CC86C49281A287DC0C5CAE984D0CB4BB
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_ctypes.pydexecutable
MD5:BD36F7D64660D120C6FB98C8F536D369
SHA256:EE543453AC1A2B9B52E80DC66207D3767012CA24CE2B44206804767F37443902
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_socket.pydexecutable
MD5:1EEA9568D6FDEF29B9963783827F5867
SHA256:74181072392A3727049EA3681FE9E59516373809CED53E08F6DA7C496B76E117
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:88870D5E29A3C5297F3B7E69B7ECD74D
SHA256:9608C021164094322899E5799A86188891FA571A4E31B36888E256324C7D76BD
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_uuid.pydexecutable
MD5:46E9D7B5D9668C9DB5CAA48782CA71BA
SHA256:F6063622C0A0A34468679413D1B18D1F3BE67E747696AB972361FAED4B8D6735
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\_overlapped.pydexecutable
MD5:E5ACEAF21E82253E300C0B78793887A8
SHA256:D950342686C959056FF43C9E5127554760FA20669D97166927DD6AAE5494E02A
5712satanC2.exeC:\Users\admin\AppData\Local\Temp\_MEI57122\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:F57813D3B4B2669EE379C8D63D068507
SHA256:7009A34534C64708F00117345BF577611747351F723969B50DB761DEFC9360F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
16
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6112
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1356
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1356
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
satanC2.exe