thanos | a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709 | Triage

Submit
Reports

Overview

overview

Static

static

a3977fd383...09.exe

windows7_x64

a3977fd383...09.exe

windows10-2004_x64

Sharing

General

Target

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709
Size

87KB
Sample

220607-w41vzsgaf2
MD5

2ef91650e60c37e9f0b35c3d7e172848
SHA1

76f18f62b8560e77141e0a1c21b0780187fdfdb9
SHA256

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709
SHA512

be8f454bedbacdc0ac0a07323f951426b917c087cbf533f80d761e03af18bcfe179c762014878a7f5a22c8925cae1498f1d18c792a943b5bce45c636c81cde3f

Score

10^/10

thanos evasion persistence ransomware trojan

Static task

static1

Behavioral task

behavioral1

Sample

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Resource

win7-20220414-en

evasion persistence ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709.exe

Resource

win10v2004-20220414-en

evasion persistence ransomware trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709
- Size
  
  87KB
- MD5
  
  2ef91650e60c37e9f0b35c3d7e172848
- SHA1
  
  76f18f62b8560e77141e0a1c21b0780187fdfdb9
- SHA256
  
  a3977fd383059a9833f42178061c0038754a19a76891aed5f38f36cd0300f709
- SHA512
  
  be8f454bedbacdc0ac0a07323f951426b917c087cbf533f80d761e03af18bcfe179c762014878a7f5a22c8925cae1498f1d18c792a943b5bce45c636c81cde3f
Score

10^/10

evasion persistence ransomware trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

File Deletion

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

evasionpersistenceransomware

behavioral2

evasionpersistenceransomwaretrojan

© 2018-2024

Terms | Privacy