Overview
overview
10Static
static
8trojan/1.exe
windows7_x64
10trojan/1.exe
windows10-2004_x64
10trojan/10.exe
windows7_x64
10trojan/10.exe
windows10-2004_x64
8trojan/2.exe
windows7_x64
3trojan/2.exe
windows10-2004_x64
5trojan/3.exe
windows7_x64
10trojan/3.exe
windows10-2004_x64
10trojan/4.exe
windows7_x64
8trojan/4.exe
windows10-2004_x64
8trojan/5.exe
windows7_x64
8trojan/5.exe
windows10-2004_x64
8trojan/6.exe
windows7_x64
10trojan/6.exe
windows10-2004_x64
10trojan/7.exe
windows7_x64
10trojan/7.exe
windows10-2004_x64
10trojan/8.exe
windows7_x64
trojan/8.exe
windows10-2004_x64
10trojan/9.exe
windows7_x64
8trojan/9.exe
windows10-2004_x64
8Analysis
-
max time kernel
100s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
trojan/1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
trojan/1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
trojan/10.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
trojan/10.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
trojan/2.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
trojan/2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
trojan/3.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
trojan/3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
trojan/4.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
trojan/4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
trojan/5.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
trojan/5.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
trojan/6.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
trojan/6.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
trojan/7.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
trojan/7.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
trojan/8.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
trojan/8.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
trojan/9.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
trojan/9.exe
Resource
win10v2004-20220414-en
Errors
General
-
Target
trojan/8.exe
-
Size
235KB
-
MD5
6ad37fb0ae1f564119c32ad238f5013e
-
SHA1
cd168d13400f213c11d2fb6f1517b998c21308be
-
SHA256
058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
-
SHA512
977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2
Malware Config
Extracted
C:\Users\Admin\Desktop\README.txt
17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM
Signatures
-
suricata: ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent
suricata: ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent
-
Executes dropped EXE 1 IoCs
Processes:
8307912307.exepid process 2036 8307912307.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1972 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
8.exepid process 900 8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8307912307.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Windows\\System32\\notepad.exe C:\\Users\\Admin\\Desktop\\README.txt" 8307912307.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2000 taskkill.exe 1880 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 660 notepad.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskkill.exeshutdown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2000 taskkill.exe Token: SeShutdownPrivilege 1696 shutdown.exe Token: SeRemoteShutdownPrivilege 1696 shutdown.exe Token: SeDebugPrivilege 1880 taskkill.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8.execmd.exe8307912307.execmd.execmd.exedescription pid process target process PID 900 wrote to memory of 2036 900 8.exe 8307912307.exe PID 900 wrote to memory of 2036 900 8.exe 8307912307.exe PID 900 wrote to memory of 2036 900 8.exe 8307912307.exe PID 900 wrote to memory of 2036 900 8.exe 8307912307.exe PID 900 wrote to memory of 1972 900 8.exe cmd.exe PID 900 wrote to memory of 1972 900 8.exe cmd.exe PID 900 wrote to memory of 1972 900 8.exe cmd.exe PID 900 wrote to memory of 1972 900 8.exe cmd.exe PID 1972 wrote to memory of 2000 1972 cmd.exe taskkill.exe PID 1972 wrote to memory of 2000 1972 cmd.exe taskkill.exe PID 1972 wrote to memory of 2000 1972 cmd.exe taskkill.exe PID 1972 wrote to memory of 2000 1972 cmd.exe taskkill.exe PID 2036 wrote to memory of 660 2036 8307912307.exe notepad.exe PID 2036 wrote to memory of 660 2036 8307912307.exe notepad.exe PID 2036 wrote to memory of 660 2036 8307912307.exe notepad.exe PID 2036 wrote to memory of 660 2036 8307912307.exe notepad.exe PID 2036 wrote to memory of 560 2036 8307912307.exe cmd.exe PID 2036 wrote to memory of 560 2036 8307912307.exe cmd.exe PID 2036 wrote to memory of 560 2036 8307912307.exe cmd.exe PID 2036 wrote to memory of 560 2036 8307912307.exe cmd.exe PID 2036 wrote to memory of 640 2036 8307912307.exe cmd.exe PID 2036 wrote to memory of 640 2036 8307912307.exe cmd.exe PID 2036 wrote to memory of 640 2036 8307912307.exe cmd.exe PID 2036 wrote to memory of 640 2036 8307912307.exe cmd.exe PID 560 wrote to memory of 1880 560 cmd.exe taskkill.exe PID 560 wrote to memory of 1880 560 cmd.exe taskkill.exe PID 560 wrote to memory of 1880 560 cmd.exe taskkill.exe PID 560 wrote to memory of 1880 560 cmd.exe taskkill.exe PID 640 wrote to memory of 1696 640 cmd.exe shutdown.exe PID 640 wrote to memory of 1696 640 cmd.exe shutdown.exe PID 640 wrote to memory of 1696 640 cmd.exe shutdown.exe PID 640 wrote to memory of 1696 640 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan\8.exe"C:\Users\Admin\AppData\Local\Temp\trojan\8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe"C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\README.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8307912307.exe /f & erase C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8307912307.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -s -f -t 53⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -f -t 54⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8.exe /f & erase C:\Users\Admin\AppData\Local\Temp\trojan\8.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exeFilesize
235KB
MD56ad37fb0ae1f564119c32ad238f5013e
SHA1cd168d13400f213c11d2fb6f1517b998c21308be
SHA256058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
SHA512977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2
-
C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exeFilesize
235KB
MD56ad37fb0ae1f564119c32ad238f5013e
SHA1cd168d13400f213c11d2fb6f1517b998c21308be
SHA256058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
SHA512977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2
-
C:\Users\Admin\Desktop\README.txtFilesize
1KB
MD518d94d4c00070ce0f0169ec4d1b8dbc6
SHA1736d6ec5360658d0f1b0801354dd8acf904dcedf
SHA256b0973e12859d3c348bc9c07725ab196520ea5e6b0edce3cfc7b081bdc1ca77f8
SHA5122b89ff5bb0dbd2a500e0fefb206a4e2dbdd2e95811e72274b4e4a0039f89f0ea127eee8a2eeee15c2276270d2b9bd1d515792c1dd04dd34b65b4928442988571
-
\Users\Admin\AppData\Roaming\830791230739248\8307912307.exeFilesize
235KB
MD56ad37fb0ae1f564119c32ad238f5013e
SHA1cd168d13400f213c11d2fb6f1517b998c21308be
SHA256058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
SHA512977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2
-
memory/560-64-0x0000000000000000-mapping.dmp
-
memory/640-65-0x0000000000000000-mapping.dmp
-
memory/660-61-0x0000000000000000-mapping.dmp
-
memory/900-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1696-67-0x0000000000000000-mapping.dmp
-
memory/1880-66-0x0000000000000000-mapping.dmp
-
memory/1900-69-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmpFilesize
8KB
-
memory/1972-59-0x0000000000000000-mapping.dmp
-
memory/2000-60-0x0000000000000000-mapping.dmp
-
memory/2036-56-0x0000000000000000-mapping.dmp