thanos | fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e | Triage

Submit
Reports

Overview

overview

Static

static

iE8JUAJp7.bin.exe

windows7_x64

8

iE8JUAJp7.bin.exe

windows10_x64

8

Resubmissions

28-10-2021 15:44

211028-s6m55agfbk 10

10-10-2021 17:01

211010-vjzlragafj 8

Sharing

General

Target

iE8JUAJp7.bin.zip
Size

140KB
Sample

211028-s6m55agfbk
MD5

06595c8a8b5293727765fbc931d6bfe1
SHA1

ed700f9ebea686f9dd2c5a4f9d6c3e051d1c4452
SHA256

fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e
SHA512

6b4a4bcce470bd755ac1ef20a3a967e2068e58fe9d095a1dd58e6de6a0142488a369ee98904710f02bb6150dc29c93e566feca8d4c25624d512250b50778f607

Score

10^/10

thanos evasion persistence ransomware

Static task

static1

ransomware thanos

Behavioral task

behavioral1

Sample

iE8JUAJp7.bin.exe

Resource

win7-en-20210920

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

iE8JUAJp7.bin.exe

Resource

win10-en-20211014

evasion persistence ransomware

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  iE8JUAJp7.bin
- Size
  
  385KB
- MD5
  
  a9a0fae4766d9f7cafa1560f5f62e46f
- SHA1
  
  d582608dc07bd9f771334cdb60626755997dd56c
- SHA256
  
  f70966e32d18a1e2ed51ebdcc6b985d8f7613febf0680639076c71ebeab6a350
- SHA512
  
  5c2f89a16c5291d509f41bd5f12d18a386892738cfd5fb5cbd2156c52d46f28abde5f199461fe9a8bf3aa3f7e4644fe66c3ad48c3b114b792efdbf421468856b
Score

8^/10

evasion persistence ransomware
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Downloads PsExec from SysInternals website
  Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

ransomwarethanos

behavioral1

behavioral2

evasionpersistenceransomware

© 2018-2024

Terms | Privacy