thanos | 2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
3s
max time network
2s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe
Size

393KB
MD5

104b68a8b7e2913139049b30847f990f
SHA1

0f25791a039298be94a3d024f5a3d1796e13a587
SHA256

b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424
SHA512

cba38f93247621cc38ea33f72efc1147e0a6d1a8b9256a26853ac3c1c8c3c9444d2d3a5af586e934febad1822c93fbc1e9c538759b4587720ba03a92792ce04d

Score

10^/10

thanos evasion persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\file.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\file.exe	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe,C:\\Windows\\system32\\userinit.exe"	reg.exe

Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
ransomware thanos

Thanos executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\file.exe	family_thanos_ransomware
C:\Users\Admin\AppData\Local\Temp\file.exe	family_thanos_ransomware

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

1364 bcdedit.exe
Executes dropped EXE 1 IoCs

Processes:

file.exe

pid process

1152 file.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

file.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features file.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1344 reg.exe
Runs net.exe

pid	process
1364	bcdedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	file.exe

pid	process
1344	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe
1152	file.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

file.exeshutdown.exe

description pid process

Token: SeDebugPrivilege 1152 file.exe
Token: SeShutdownPrivilege 1524 shutdown.exe
Token: SeRemoteShutdownPrivilege 1524 shutdown.exe

description	pid	process
Token: SeDebugPrivilege	1152	file.exe
Token: SeShutdownPrivilege	1524	shutdown.exe
Token: SeRemoteShutdownPrivilege	1524	shutdown.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exefile.exe

description	pid	process	target process
PID 1732 wrote to memory of 1152	1732	b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe	file.exe
PID 1732 wrote to memory of 1152	1732	b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe	file.exe
PID 1732 wrote to memory of 1152	1732	b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe	file.exe
PID 1152 wrote to memory of 1344	1152	file.exe	conhost.exe
PID 1152 wrote to memory of 1344	1152	file.exe	conhost.exe
PID 1152 wrote to memory of 1344	1152	file.exe	conhost.exe
PID 1152 wrote to memory of 1364	1152	file.exe	bcdedit.exe
PID 1152 wrote to memory of 1364	1152	file.exe	bcdedit.exe
PID 1152 wrote to memory of 1364	1152	file.exe	bcdedit.exe
PID 1152 wrote to memory of 612	1152	file.exe	reg.exe
PID 1152 wrote to memory of 612	1152	file.exe	reg.exe
PID 1152 wrote to memory of 612	1152	file.exe	reg.exe
PID 1152 wrote to memory of 1944	1152	file.exe	net.exe
PID 1152 wrote to memory of 1944	1152	file.exe	net.exe
PID 1152 wrote to memory of 1944	1152	file.exe	net.exe
PID 1152 wrote to memory of 1524	1152	file.exe	shutdown.exe
PID 1152 wrote to memory of 1524	1152	file.exe	shutdown.exe
PID 1152 wrote to memory of 1524	1152	file.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "file.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\reg.exe
    "reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
    3⤵
    - Modifies registry key
    PID:1344
- - C:\Windows\system32\bcdedit.exe
    "bcdedit.exe" /set {default} safeboot network
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1364
- - C:\Windows\system32\reg.exe
    "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\file.exe","C:\Windows\system32\userinit.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    PID:612
- - C:\Windows\system32\net.exe
    "net.exe" user Admin ""
    3⤵
    PID:1944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin ""
      4⤵
      PID:1660
- - C:\Windows\system32\shutdown.exe
    "shutdown.exe" /r /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:1528
- - C:\Windows\system32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:1644
- - C:\Windows\system32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1740
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:1576
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:328
- - C:\Windows\system32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:1792
- - C:\Windows\system32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:1820
- - C:\Windows\system32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:1756
- - C:\Windows\system32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:1928
- - C:\Windows\system32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:1984
- - C:\Windows\system32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:1380
- - C:\Windows\system32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:1208
- - C:\Windows\system32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:480
- - C:\Windows\system32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:916
- - C:\Windows\system32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:960
- - C:\Windows\system32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:812
- - C:\Windows\system32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:1192
- - C:\Windows\system32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:1488
- - C:\Windows\system32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:580
- - C:\Windows\system32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:1316
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:1652
- - C:\Windows\system32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:1076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "188095522-175523635295267694-1013923470-2110761987932423451-1786827165-40800582"
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.exe

MD5
e01e11dca5e8b08fc8231b1cb6e2048c

SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a

SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

MD5
e01e11dca5e8b08fc8231b1cb6e2048c

SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a

SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

Download Submit
memory/328-93-0x0000000000000000-mapping.dmp

Download
memory/480-85-0x0000000000000000-mapping.dmp

Download
memory/580-79-0x0000000000000000-mapping.dmp

Download
memory/612-67-0x0000000000000000-mapping.dmp

Download
memory/812-82-0x0000000000000000-mapping.dmp

Download
memory/916-84-0x0000000000000000-mapping.dmp

Download
memory/960-83-0x0000000000000000-mapping.dmp

Download
memory/1076-74-0x0000000000000000-mapping.dmp

Download
memory/1152-60-0x0000000000000000-mapping.dmp

Download
memory/1152-73-0x000000001AC80000-0x000000001AC82000-memory.dmp

Filesize
8KB

Download
memory/1152-63-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1192-81-0x0000000000000000-mapping.dmp

Download
memory/1208-86-0x0000000000000000-mapping.dmp

Download
memory/1316-77-0x0000000000000000-mapping.dmp

Download
memory/1344-65-0x0000000000000000-mapping.dmp

Download
memory/1364-66-0x0000000000000000-mapping.dmp

Download
memory/1380-87-0x0000000000000000-mapping.dmp

Download
memory/1488-80-0x0000000000000000-mapping.dmp

Download
memory/1524-69-0x0000000000000000-mapping.dmp

Download
memory/1528-72-0x0000000000000000-mapping.dmp

Download
memory/1576-94-0x0000000000000000-mapping.dmp

Download
memory/1644-76-0x0000000000000000-mapping.dmp

Download
memory/1652-75-0x0000000000000000-mapping.dmp

Download
memory/1660-71-0x0000000000000000-mapping.dmp

Download
memory/1740-78-0x0000000000000000-mapping.dmp

Download
memory/1756-90-0x0000000000000000-mapping.dmp

Download
memory/1772-70-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download
memory/1772-95-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1792-92-0x0000000000000000-mapping.dmp

Download
memory/1820-91-0x0000000000000000-mapping.dmp

Download
memory/1928-89-0x0000000000000000-mapping.dmp

Download
memory/1944-68-0x0000000000000000-mapping.dmp

Download
memory/1984-88-0x0000000000000000-mapping.dmp

Download