6a5090762c6058bc223e37e89f53832faad80995e3c5ed7e59ed9f5a5e604e47

Resubmissions

04-11-2021 14:41

211104-r2dv8agha4 10

27-01-2021 22:14

210127-cr6bjqfx2e 10

Analysis

max time kernel
8s
max time network
6s
platform
windows7_x64
resource
win7v20201028
submitted
27-01-2021 22:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

thanos-cleaned.exe
Size

92KB
MD5

fe7dcc0f74e152a78963d560b2e3d148
SHA1

f9cf1dd1a7e8b2dffc9e0195685cef5a625832ea
SHA256

6a5090762c6058bc223e37e89f53832faad80995e3c5ed7e59ed9f5a5e604e47
SHA512

a1d2de8abf7e56a2c29bfa38d0ae23584db2174ec8b14c6da3220e1c52ad52861714f8c363be843d16cdf13a22e0b74c16a1cb684ba102f132b09133338a169a

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\thanos-cleaned.exe,C:\\Windows\\system32\\userinit.exe"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1944	bcdedit.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	thanos-cleaned.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2032	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 449 IoCs

pid	Process
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe
1852	thanos-cleaned.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	thanos-cleaned.exe
Token: SeShutdownPrivilege	528	shutdown.exe
Token: SeRemoteShutdownPrivilege	528	shutdown.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2032	1852	thanos-cleaned.exe	26
PID 1852 wrote to memory of 2032	1852	thanos-cleaned.exe	26
PID 1852 wrote to memory of 2032	1852	thanos-cleaned.exe	26
PID 1852 wrote to memory of 1944	1852	thanos-cleaned.exe	27
PID 1852 wrote to memory of 1944	1852	thanos-cleaned.exe	27
PID 1852 wrote to memory of 1944	1852	thanos-cleaned.exe	27
PID 1852 wrote to memory of 1988	1852	thanos-cleaned.exe	29
PID 1852 wrote to memory of 1988	1852	thanos-cleaned.exe	29
PID 1852 wrote to memory of 1988	1852	thanos-cleaned.exe	29
PID 1852 wrote to memory of 268	1852	thanos-cleaned.exe	32
PID 1852 wrote to memory of 268	1852	thanos-cleaned.exe	32
PID 1852 wrote to memory of 268	1852	thanos-cleaned.exe	32
PID 1852 wrote to memory of 528	1852	thanos-cleaned.exe	33
PID 1852 wrote to memory of 528	1852	thanos-cleaned.exe	33
PID 1852 wrote to memory of 528	1852	thanos-cleaned.exe	33
PID 1852 wrote to memory of 1872	1852	thanos-cleaned.exe	37
PID 1852 wrote to memory of 1872	1852	thanos-cleaned.exe	37
PID 1852 wrote to memory of 1872	1852	thanos-cleaned.exe	37
PID 268 wrote to memory of 1776	268	net.exe	38
PID 268 wrote to memory of 1776	268	net.exe	38
PID 268 wrote to memory of 1776	268	net.exe	38

C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\system32\reg.exe
  "reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
  2⤵
  - Modifies registry key
  PID:2032
- C:\Windows\system32\bcdedit.exe
  "bcdedit.exe" /set {default} safeboot network
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1944
- C:\Windows\system32\reg.exe
  "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe","C:\Windows\system32\userinit.exe" /f
  2⤵
  - Modifies WinLogon for persistence
  PID:1988
- C:\Windows\system32\net.exe
  "net.exe" user Admin ""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user Admin ""
    3⤵
    PID:1776
- C:\Windows\system32\shutdown.exe
  "shutdown.exe" /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  PID:1872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-15-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/792-13-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1584-17-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1852-2-0x000007FEF60E0000-0x000007FEF6ACC000-memory.dmp

Filesize
9.9MB

Download
memory/1852-5-0x000000001ADC0000-0x000000001ADC2000-memory.dmp

Filesize
8KB

Download
memory/1852-3-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads