Edit tour

Windows Analysis Report
Saturn.exe

Overview

General Information

Sample name:	Saturn.exe
Analysis ID:	1663989
MD5:	645480997f1fc150364d13d97f834c91
SHA1:	69fafb926ce6c1014a2e100c2e68a6fd9f448f52
SHA256:	8e1ecff4e5de17f7d3444d679d0da8cdf05ef7aee7052e9f237efba9202e965e
Tags:	exeuser-FelloBoiYuuka
Infos:

Detection

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Allocates memory with a write watch (potentially for evading sandboxes)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Saturn.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\Saturn.exe" MD5: 645480997F1FC150364D13D97F834C91)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Saturn.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Saturn.exe	Virustotal: Detection: 16%			Perma Link
Source: Saturn.exe	ReversingLabs: Detection: 19%

Source: Saturn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Saturn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\NullException\Documents\Visual Studio 2013\Projects\Detonator\Detonator\obj\Debug\Detonator.pdb source: Saturn.exe

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: Saturn.exe, 00000000.00000002.2572337880.0000000003161000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: Saturn.exe, 00000000.00000000.1324354024.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDetonator.exe< vs Saturn.exe
Source: Saturn.exe	Binary or memory string: OriginalFilenameDetonator.exe< vs Saturn.exe

Source: Saturn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\Saturn.exe

Mutant created: NULL

Source: Saturn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Saturn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Saturn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Saturn.exe	Virustotal: Detection: 16%
Source: Saturn.exe	ReversingLabs: Detection: 19%

Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Section loaded: wintypes.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Saturn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Saturn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Saturn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Saturn.exe

Static file information: File size 4911104 > 1048576

Source: Saturn.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4ad400

Source: Saturn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Saturn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\NullException\Documents\Visual Studio 2013\Projects\Detonator\Detonator\obj\Debug\Detonator.pdb source: Saturn.exe

Source: C:\Users\user\Desktop\Saturn.exe

Code function: 0_2_00007FF7C816593D push ebx; retf 0008h

0_2_00007FF7C816594A

Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Saturn.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Memory allocated: 1B160000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Saturn.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Saturn.exe	Queries volume information: C:\Users\user\Desktop\Saturn.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Saturn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Saturn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Saturn.exe	17%	Virustotal		Browse
Saturn.exe	19%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
Saturn.exe	100%	Avira	TR/Agent.ajes

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
pki-goog.l.google.com	74.125.21.94	true	false	high
c.pki.goog	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Saturn.exe, 00000000.00000002.2572337880.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1663989
Start date and time:	2025-04-13 05:38:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Saturn.exe
Detection:	MAL
Classification:	mal56.winEXE@1/0@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 96% Number of executed functions: 16 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 150.171.28.254, 172.202.163.200
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Saturn.exe, PID 5452 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pki-goog.l.google.com	Setupx-64.exe	Get hash	malicious	DCRat	Browse	172.217.215.94
	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Get hash	malicious	GhostRat	Browse	172.217.215.94
	SecuriteInfo.com.Trojan.DownLoader48.29860.1293.7282.exe	Get hash	malicious	DcRat	Browse	64.233.185.94
	2zb8yjqduP.dll	Get hash	malicious	Unknown	Browse	74.125.21.94
	GSRuGK48Ex.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	142.250.9.94
	rxm.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	142.251.15.94
	Rd_client_w_a_s_d_patched.exe	Get hash	malicious	LummaC Stealer	Browse	74.125.21.94
	67f525209658e.vbs	Get hash	malicious	LummaC Stealer	Browse	108.177.122.94
	IMSoftware{Launcher}3.21.exe	Get hash	malicious	LummaC Stealer	Browse	142.251.15.94
	SoftWare(2).exe	Get hash	malicious	LummaC Stealer	Browse	74.125.21.94
bg.microsoft.map.fastly.net	Setupx-64.exe	Get hash	malicious	DCRat	Browse	199.232.214.172
	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Get hash	malicious	GhostRat	Browse	199.232.214.172
	SecuriteInfo.com.Trojan.DownLoader48.29860.1293.7282.exe	Get hash	malicious	DcRat	Browse	199.232.210.172
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	jre-8u441-windows-x64.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	jre-8u441-windows-x64.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	AxgHj313r7.exe	Get hash	malicious	Rhysida, TrojanRansom	Browse	199.232.210.172
	Dd73LmElYt.ppt	Get hash	malicious	Unknown	Browse	199.232.214.172
	Dd73LmElYt.ppt	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.997829503776488
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Saturn.exe
File size:	4'911'104 bytes
MD5:	645480997f1fc150364d13d97f834c91
SHA1:	69fafb926ce6c1014a2e100c2e68a6fd9f448f52
SHA256:	8e1ecff4e5de17f7d3444d679d0da8cdf05ef7aee7052e9f237efba9202e965e
SHA512:	f311881401bf5541eab3e510603c78f3908ad8c3fcf80cdd8d6ac842a187df1b5c8c603a0635f1f070ac4eb93c0596d88dd394f56b2866b5fcf0d411722ead7c
SSDEEP:	98304:vmQeKTZoVYyD1LKhNc0N9Fh/K00OtR4AkTv/sLRJOFdtH:v4qmWPfFFjlttOsXOnx
TLSH:	AA36337326C7CB80D918DA3B606D861C8D73991BF3438602BC63D9BA5A25DE5C7C1F91
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n\..................J...........J.. ....K...@.. .......................`K...........@................................

File Icon


Icon Hash:	0f4dcc71e94d2d9f

Static PE Info

General

Entrypoint:	0x8af3ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C6EBE98 [Thu Feb 21 15:07:04 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4af394	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b2000	0x12c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4b0000	0x1c	.sdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4ad3f4	0x4ad400	cf4827e1276db0fb4638117858bb6a1f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x4b0000	0x138	0x200	d9d3839a0eb739f0ac92a7acbe4cbb53	False	0.28125	data	2.227383602557614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4b2000	0x12c8	0x1400	860cd0e323a329185873c20c1ac30b84	False	0.369140625	data	4.970649703521283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4b4000	0xc	0x200	b8aa598e9b0b08e70d189a36ed767ef9	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4b2498	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.4838709677419355
RT_GROUP_ICON	0x4b2780	0x14	data	1.25
RT_VERSION	0x4b2130	0x364	data	0.43202764976958524
RT_MANIFEST	0x4b2798	0xb29	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.35316765838291914

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	Saturn Trojan
CompanyName	NullException
FileDescription	Saturn
FileVersion	1.0.0.0
InternalName	Detonator.exe
LegalCopyright	Copyright 2018
LegalTrademarks	Soon
OriginalFilename	Detonator.exe
ProductName	Saturn Trojan
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 13, 2025 05:39:06.121934891 CEST	54529	53	192.168.2.5	1.1.1.1
Apr 13, 2025 05:39:06.229398012 CEST	53	54529	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 13, 2025 05:39:06.121934891 CEST	192.168.2.5	1.1.1.1	0x5ff3	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 13, 2025 05:39:05.570122957 CEST	1.1.1.1	192.168.2.5	0xb595	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 13, 2025 05:39:05.570122957 CEST	1.1.1.1	192.168.2.5	0xb595	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 13, 2025 05:39:06.229398012 CEST	1.1.1.1	192.168.2.5	0x5ff3	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 13, 2025 05:39:06.229398012 CEST	1.1.1.1	192.168.2.5	0x5ff3	No error (0)	pki-goog.l.google.com		74.125.21.94	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Saturn.exePID: 5452, Parent PID: 3084

General

Target ID:	0
Start time:	23:39:07
Start date:	12/04/2025
Path:	C:\Users\user\Desktop\Saturn.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Saturn.exe"
Imagebase:	0xa00000
File size:	4'911'104 bytes
MD5 hash:	645480997F1FC150364D13D97F834C91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Saturn.exePID: 5452, Parent PID: 3084COMMON

Executed Functions

Function 00007FF7C816254D Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

jC%, xrefs: 00007FF7C81625E2

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID: jC%
API String ID: 0-1416033877
Opcode ID: 4a49d5caf6e3fd7706a8ab2c905ff89815351ed16b5297205b197e102bbc9a01
Instruction ID: 69148fb9905cd1c3fdeb7d3d6fb61a1ee8721015eb2a8428f45fa4895daac855
Opcode Fuzzy Hash: 4a49d5caf6e3fd7706a8ab2c905ff89815351ed16b5297205b197e102bbc9a01
Instruction Fuzzy Hash: 5631F73090859D8FDBA4EF18AC696E5BBF1FF86711F4001EAD449D3192DE345D41CB50

Function 00007FF7C81625CB Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

jC%, xrefs: 00007FF7C81625E2

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID: jC%
API String ID: 0-1416033877
Opcode ID: e853ce9aed386e144b3b0a05c2dcb7a064849225ffbba3fb3b1cf561876bfb4c
Instruction ID: ab3119d1c349e6cc11c4ab54f738af7747509efb5d63c7444f261af7d93fdca7
Opcode Fuzzy Hash: e853ce9aed386e144b3b0a05c2dcb7a064849225ffbba3fb3b1cf561876bfb4c
Instruction Fuzzy Hash: AF11E830E1895D8FDB94EF18D8996A9B7F1FB98742F5001AAD40DE72A1DE306D81DB04

Function 00007FF7C81633A1 Relevance: 1.3, Instructions: 1290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea18e1927736795febc51fffaf5039668c775964db3d3c9073391bba7e18c0ef
Instruction ID: fc2f681baf6ecbcb6a435f4fc1da8c83005b7cb9ef76176c4df16c2b46853a9c
Opcode Fuzzy Hash: ea18e1927736795febc51fffaf5039668c775964db3d3c9073391bba7e18c0ef
Instruction Fuzzy Hash: A1B28B74A09A5D8FDB94EF18C888BA9B3E1FF69301F4505A9E40DD72A5CA75ED81CF00

Function 00007FF7C816397D Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cfc9f42f8ac62f4daab578a6b68044ed6211841689163ce90da0737b7f12ac
Instruction ID: b9c55c2ca37511371988f2207664b0f8b830a23e6573a8843fb66778be2da5a1
Opcode Fuzzy Hash: 62cfc9f42f8ac62f4daab578a6b68044ed6211841689163ce90da0737b7f12ac
Instruction Fuzzy Hash: 66626C34A05A5D8FDB94EF18D888BA9B3E1FF69302F4514A9E40DD72A5CA75ED81CF00

Function 00007FF7C8162824 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85c5e97da2a7897a19afad06a8caa38a17daa986338a316b858d07191a2c783
Instruction ID: f9d70c5f1f3afbc62104c363daa2482fad894a14af8138c494464a637824710d
Opcode Fuzzy Hash: b85c5e97da2a7897a19afad06a8caa38a17daa986338a316b858d07191a2c783
Instruction Fuzzy Hash: A7E19C34A09A5D8FDB95EF18D898BA9B3F1FF69301F4505A9E40DD7266CA34ED81CB00

Function 00007FF7C8162D06 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66411cd0d9ca48f2a788b09012cd76ed621880a2a8dd16dd6c930759f68dde4
Instruction ID: 021d557baeff61e104e84c1666af16afec5959986d9980cf03477f6495c15d6f
Opcode Fuzzy Hash: a66411cd0d9ca48f2a788b09012cd76ed621880a2a8dd16dd6c930759f68dde4
Instruction Fuzzy Hash: CAD19E74A09A598FCB99EF18C888F99B7F1FF69301F0505E9A40DD7265CA75EE80CB00

Function 00007FF7C8162ABE Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91c8e0a2dd8844ad8ade5f26678a0e8a5dafd1c9d81134ec4cf40687044a730
Instruction ID: 1013e3efebc6971534350264cbc09d36fdda93cce281e5b9eeeb08bf5d74f92b
Opcode Fuzzy Hash: a91c8e0a2dd8844ad8ade5f26678a0e8a5dafd1c9d81134ec4cf40687044a730
Instruction Fuzzy Hash: E4815934A09A1D8FDB95EF18C898BA9B7F1FF69301F4505A9A40DD7265CA74EE81CF00

Function 00007FF7C8160B7D Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2807d0971f743c15f4e40fcd6e4295a11c41049702ea5007ed7176a6b3ea626b
Instruction ID: 8768a5e4dd0cdfaacf106a3095ee7fa44f4a692d0815b1ebb962f9a33f6fef04
Opcode Fuzzy Hash: 2807d0971f743c15f4e40fcd6e4295a11c41049702ea5007ed7176a6b3ea626b
Instruction Fuzzy Hash: 8D516C70909A4D8FDB88EF28E8946EDB7F1FF99314F4404BAE409D7291CB79A851CB40

Function 00007FF7C8162918 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f57a086cc9ec93b9a1a17c81b022937e6d43d0c63d7b4aae3c03dce0e5fd3d
Instruction ID: 25a6b45f9faed7d5fbc170237f618e704a92970fd78a47c9643923ed7513a3c1
Opcode Fuzzy Hash: 63f57a086cc9ec93b9a1a17c81b022937e6d43d0c63d7b4aae3c03dce0e5fd3d
Instruction Fuzzy Hash: 03515934A09A598FDB94EF18C888BA9B7F1FF69301F4105A9E40DD7266CA75ED91CB00

Function 00007FF7C8162171 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6ea4e684f206293464a906cf95ff45578b99da718c5a4726e160b61e90400a
Instruction ID: c24c0f925dc1be5b5c74209fd2197739d55bf53c0b1d6bf4d29439bf3a8b6cbf
Opcode Fuzzy Hash: ba6ea4e684f206293464a906cf95ff45578b99da718c5a4726e160b61e90400a
Instruction Fuzzy Hash: 82219F70928A8E8FDB88EF14D894AE9B7B0FF55304F9445BEE409C7296CF35A941CB50

Function 00007FF7C81635AC Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0600d02036ac9b168ab341c64d7dddfcb226c119db75edc1307a191883e2ead0
Instruction ID: b0e8786b96a1531a4aa31f94e763eb1ca21c8c2de860f87518674ddd4e621bc5
Opcode Fuzzy Hash: 0600d02036ac9b168ab341c64d7dddfcb226c119db75edc1307a191883e2ead0
Instruction Fuzzy Hash: 9B31C2B4909A588FDB94EF18C885F99B7F1EF69301F4100E9E54ED7262CA34ED84CB54

Function 00007FF7C81635B6 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b5d3a6299c5e373d2f58aac8c4a97fcca44d02310c6c18363fe0def841cd59
Instruction ID: 1c7933e900c2956e0679477c1fc9172ed23b5ab621bc7b57ee4bbdc610c0a9da
Opcode Fuzzy Hash: 72b5d3a6299c5e373d2f58aac8c4a97fcca44d02310c6c18363fe0def841cd59
Instruction Fuzzy Hash: 3231BF74A08A598FDB98EF08C899B99B3F1FF69301F4104A9E40DD7261CA70EE81CF44

Function 00007FF7C816275B Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cfff0ec777f2b6b669b98c42e13472accb7a94f62f3cd6d85a352e83f42b46
Instruction ID: 0d1d5919756201ea0558deb3987cbefdafa6cca132f0c10801224b1b066579df
Opcode Fuzzy Hash: e5cfff0ec777f2b6b669b98c42e13472accb7a94f62f3cd6d85a352e83f42b46
Instruction Fuzzy Hash: B621D331A08A0E8FDBD4EF1CD899BA8B3E1FF59710F4445E9E40DD7265CA30AC828B00

Function 00007FF7C8165391 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b635e470452857098e9dd77d8c6bb39ffa3ed0ed3014875a08e2192b5465a8c8
Instruction ID: f4d0aa13791068ae0261ce217da10f58de36bd8cc4efbbbb1982ec5bf96f6060
Opcode Fuzzy Hash: b635e470452857098e9dd77d8c6bb39ffa3ed0ed3014875a08e2192b5465a8c8
Instruction Fuzzy Hash: 29215C75E1894D8FDB80EF98D855AEDB7F1FF58721F40017AD408E3291DA78A841CB60

Function 00007FF7C8160C69 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac674ff7e9507f7741dcec4411a83379309296ae999a6f59f4d0a4d966c4ddb
Instruction ID: 32cdc8086ea38ed1a2f4333eac471d38922582a8243bdf5db887c9fc084eff5b
Opcode Fuzzy Hash: 8ac674ff7e9507f7741dcec4411a83379309296ae999a6f59f4d0a4d966c4ddb
Instruction Fuzzy Hash: 0C11A07094A3498FDB19EF30EC852E9B7A1FF8A314F450879E84986192CB7AE951C740

Function 00007FF7C81608E1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaafad350401990ee2b13bfc20d7deba039c4530b90b837bb0d3bfa2bfeaa366
Instruction ID: 2ef47df11e57fd40f6232f2a20b6f38027aa41f1ad2a6704ee8f99b4f3f891cc
Opcode Fuzzy Hash: aaafad350401990ee2b13bfc20d7deba039c4530b90b837bb0d3bfa2bfeaa366
Instruction Fuzzy Hash: 70015BB0C096598FEB54EF6498192FDFBB0FF1A310F8005AAE44DE7192DB78A940CB55

Non-executed Functions

Function 00007FF7C8160F75 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

-!&, xrefs: 00007FF7C8160FE1
P/!&, xrefs: 00007FF7C8160FA1
p0!&, xrefs: 00007FF7C8160F91
(0!&, xrefs: 00007FF7C8160FC1

Memory Dump Source

Source File: 00000000.00000002.2574363619.00007FF7C8160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C8160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c8160000_Saturn.jbxd

Similarity

API ID:
String ID: (0!&$P/!&$p0!&$-!&
API String ID: 0-1225455788
Opcode ID: aebf40a487ee0dedc6529f47a93d1ed448719362e7891c3f77ecfd15f71871fc
Instruction ID: 399198bd07cb63f15792ae5a82799afcaebe0ad5b4eb2980d7b7f4d91434cd07
Opcode Fuzzy Hash: aebf40a487ee0dedc6529f47a93d1ed448719362e7891c3f77ecfd15f71871fc
Instruction Fuzzy Hash: 3C419292C0EAC25FE629AE782C15179EFE1FF62B7075C00FFD0D85A0D799059909C3A5

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Saturn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Saturn.exePID: 5452, Parent PID: 3084

General

Chronological Activities

Disassembly

Analysis Process: Saturn.exePID: 5452, Parent PID: 3084COMMON

Windows Analysis Report
Saturn.exe