thanos | f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327 | Triage

Submit
Reports

Overview

overview

Static

static

f261d0283d...27.exe

windows7_x64

f261d0283d...27.exe

windows10-2004_x64

Resubmissions

18-01-2022 15:29

220118-sw4ecsbhen 10

29-10-2021 12:17

211029-pf6m1aaabk 10

Sharing

General

Target

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327
Size

133KB
Sample

220118-sw4ecsbhen
MD5

91b493febfc1d782875a09fc076a8850
SHA1

ed12cfbedc90181e869fce19dc820063fa6b3179
SHA256

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327
SHA512

bb66d4d65f8f615e6af06f4815233a2a7430373e4afc5a61a2b2fff0dc9a6a002b4edad0db2a336b24dabd65efc3b74f57985836d137f25eb87a1901cfa4b9a9

Score

10^/10

thanos evasion persistence ransomware

Static task

static1

ransomware thanos

Behavioral task

behavioral1

Sample

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Resource

win7-en-20211208

thanos evasion persistence ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Resource

win10v2004-en-20220113

thanos ransomware

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327
- Size
  
  133KB
- MD5
  
  91b493febfc1d782875a09fc076a8850
- SHA1
  
  ed12cfbedc90181e869fce19dc820063fa6b3179
- SHA256
  
  f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327
- SHA512
  
  bb66d4d65f8f615e6af06f4815233a2a7430373e4afc5a61a2b2fff0dc9a6a002b4edad0db2a336b24dabd65efc3b74f57985836d137f25eb87a1901cfa4b9a9
Score

10^/10

thanos evasion persistence ransomware
- Detect the Prometheus's Thanos ransomware using the build ID and the Killproc strings.
  Detect the Prometheus's Thanos ransomware.
  ransomware
- Thanos Ransomware
  Ransomware-as-a-service (RaaS) sold through underground forums.
  ransomware thanos
- Downloads MZ/PE file
- Downloads PsExec from SysInternals website
  Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

ransomwarethanos

behavioral1

thanosevasionpersistenceransomware

behavioral2

thanosransomware

© 2018-2024

Terms | Privacy