Overview

overview

10

Static

static

10

thanos-cleaned.exe

windows7_x64

10

thanos-cleaned.exe

windows10_x64

10

Resubmissions

04-11-2021 14:41

211104-r2dv8agha4 10

27-01-2021 22:14

210127-cr6bjqfx2e 10

Analysis

  • max time kernel
    7s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    04-11-2021 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    thanos-cleaned.exe

  • Size

    92KB

  • MD5

    fe7dcc0f74e152a78963d560b2e3d148

  • SHA1

    f9cf1dd1a7e8b2dffc9e0195685cef5a625832ea

  • SHA256

    6a5090762c6058bc223e37e89f53832faad80995e3c5ed7e59ed9f5a5e604e47

  • SHA512

    a1d2de8abf7e56a2c29bfa38d0ae23584db2174ec8b14c6da3220e1c52ad52861714f8c363be843d16cdf13a22e0b74c16a1cb684ba102f132b09133338a169a

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe
    "C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe"
    1⤵
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\system32\reg.exe
      "reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
      2⤵
      • Modifies registry key
      PID:1056
    • C:\Windows\system32\bcdedit.exe
      "bcdedit.exe" /set {default} safeboot network
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1504
    • C:\Windows\system32\reg.exe
      "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe","C:\Windows\system32\userinit.exe" /f
      2⤵
      • Modifies WinLogon for persistence
      PID:1904
    • C:\Windows\system32\net.exe
      "net.exe" user Admin ""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 user Admin ""
        3⤵
          PID:748
      • C:\Windows\system32\shutdown.exe
        "shutdown.exe" /r /t 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1580
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        2⤵
          PID:1376
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:1408
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x4bc
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:564
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x1
          1⤵
            PID:944

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/748-61-0x0000000000000000-mapping.dmp

            Download

          • memory/944-67-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1056-56-0x0000000000000000-mapping.dmp

            Download

          • memory/1268-54-0x00000000012D0000-0x00000000012D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-64-0x000000001B1B0000-0x000000001B1B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1376-63-0x0000000000000000-mapping.dmp

            Download

          • memory/1408-62-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1408-65-0x0000000002980000-0x0000000002981000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1504-57-0x0000000000000000-mapping.dmp

            Download

          • memory/1580-60-0x0000000000000000-mapping.dmp

            Download

          • memory/1752-59-0x0000000000000000-mapping.dmp

            Download

          • memory/1904-58-0x0000000000000000-mapping.dmp

            Download