abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991

Analysis

max time kernel
100s
max time network
162s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 09:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

trojan/8.exe
Size

235KB
MD5

6ad37fb0ae1f564119c32ad238f5013e
SHA1

cd168d13400f213c11d2fb6f1517b998c21308be
SHA256

058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
SHA512

977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2

Score

10^/10

persistence ransomware suricata

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note

--------------------------------------------------- ____ _ __ __ _ | _ \ (_) ___ ___ \ \ / / (_) _ __ _ _ ___ | |_) | | | / __| / _ \ \ \ / / | | | '__| | | | | / __| | __/ | | | (__ | (_) | \ V / | | | | | |_| | \__ \ |_| |_| \___| \___/ \_/ |_| |_| \__,_| |___/ --------------------------------------------------- Pico v1.1 Your files are encrypted. This means you cannot access your files if they are encrypted you can't watch, edit, use them. Try something funny and we will delete all your files. All your files are encrypted with. 256-bit encryption is refers to the length of the encryption key used to encrypt a data stream or file. A hacker or cracker will require 2256 different combinations to break a 256-bit encrypted message, which is virtually impossible to be broken by even the fastest computers. After 2 minutes of receiving the payment, the decryption tool will be send to you. To decrypt your files, follow next steps: 1. Send 100 (0.02 BTC) to the Bitcoin Wallet or other paying method if requested. Bitcoin wallet: 17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM 2. Send your MachineID to Discord picocode#8523 MactineID: 4cab856c-2ae4-4cbd-8a04-329969ee64da --------------------------------------------------- Do not waste your time, files can only be decrypted by our decode tool. If you paid the tool will get send by discord to you.

Wallets

17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM

Signatures

suricata: ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent
suricata: ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent
suricata
Executes dropped EXE 1 IoCs

Processes:

8307912307.exe

pid process

2036 8307912307.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1972 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

8.exe

pid process

900 8.exe

pid	process
2036	8307912307.exe

pid	process
1972	cmd.exe

pid	process
900	8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8307912307.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Windows\\System32\\notepad.exe C:\\Users\\Admin\\Desktop\\README.txt"	8307912307.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2000 taskkill.exe
1880 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

660 notepad.exe

pid	process
2000	taskkill.exe
1880	taskkill.exe

pid	process
660	notepad.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exeshutdown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeShutdownPrivilege	1696	shutdown.exe
Token: SeRemoteShutdownPrivilege	1696	shutdown.exe
Token: SeDebugPrivilege	1880	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

8.execmd.exe8307912307.execmd.execmd.exe

description	pid	process	target process
PID 900 wrote to memory of 2036	900	8.exe	8307912307.exe
PID 900 wrote to memory of 2036	900	8.exe	8307912307.exe
PID 900 wrote to memory of 2036	900	8.exe	8307912307.exe
PID 900 wrote to memory of 2036	900	8.exe	8307912307.exe
PID 900 wrote to memory of 1972	900	8.exe	cmd.exe
PID 900 wrote to memory of 1972	900	8.exe	cmd.exe
PID 900 wrote to memory of 1972	900	8.exe	cmd.exe
PID 900 wrote to memory of 1972	900	8.exe	cmd.exe
PID 1972 wrote to memory of 2000	1972	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 2000	1972	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 2000	1972	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 2000	1972	cmd.exe	taskkill.exe
PID 2036 wrote to memory of 660	2036	8307912307.exe	notepad.exe
PID 2036 wrote to memory of 660	2036	8307912307.exe	notepad.exe
PID 2036 wrote to memory of 660	2036	8307912307.exe	notepad.exe
PID 2036 wrote to memory of 660	2036	8307912307.exe	notepad.exe
PID 2036 wrote to memory of 560	2036	8307912307.exe	cmd.exe
PID 2036 wrote to memory of 560	2036	8307912307.exe	cmd.exe
PID 2036 wrote to memory of 560	2036	8307912307.exe	cmd.exe
PID 2036 wrote to memory of 560	2036	8307912307.exe	cmd.exe
PID 2036 wrote to memory of 640	2036	8307912307.exe	cmd.exe
PID 2036 wrote to memory of 640	2036	8307912307.exe	cmd.exe
PID 2036 wrote to memory of 640	2036	8307912307.exe	cmd.exe
PID 2036 wrote to memory of 640	2036	8307912307.exe	cmd.exe
PID 560 wrote to memory of 1880	560	cmd.exe	taskkill.exe
PID 560 wrote to memory of 1880	560	cmd.exe	taskkill.exe
PID 560 wrote to memory of 1880	560	cmd.exe	taskkill.exe
PID 560 wrote to memory of 1880	560	cmd.exe	taskkill.exe
PID 640 wrote to memory of 1696	640	cmd.exe	shutdown.exe
PID 640 wrote to memory of 1696	640	cmd.exe	shutdown.exe
PID 640 wrote to memory of 1696	640	cmd.exe	shutdown.exe
PID 640 wrote to memory of 1696	640	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\trojan\8.exe
"C:\Users\Admin\AppData\Local\Temp\trojan\8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe
"C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\README.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 8307912307.exe /f & erase C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 8307912307.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -s -f -t 5
3⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\shutdown.exe
shutdown -s -f -t 5
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 8.exe /f & erase C:\Users\Admin\AppData\Local\Temp\trojan\8.exe & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 8.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe
Filesize
235KB

MD5
6ad37fb0ae1f564119c32ad238f5013e

SHA1
cd168d13400f213c11d2fb6f1517b998c21308be

SHA256
058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e

SHA512
977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2

Download Submit
C:\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe
Filesize
235KB

MD5
6ad37fb0ae1f564119c32ad238f5013e

SHA1
cd168d13400f213c11d2fb6f1517b998c21308be

SHA256
058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e

SHA512
977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2

Download Submit
C:\Users\Admin\Desktop\README.txt
Filesize
1KB

MD5
18d94d4c00070ce0f0169ec4d1b8dbc6

SHA1
736d6ec5360658d0f1b0801354dd8acf904dcedf

SHA256
b0973e12859d3c348bc9c07725ab196520ea5e6b0edce3cfc7b081bdc1ca77f8

SHA512
2b89ff5bb0dbd2a500e0fefb206a4e2dbdd2e95811e72274b4e4a0039f89f0ea127eee8a2eeee15c2276270d2b9bd1d515792c1dd04dd34b65b4928442988571

Download Submit
\Users\Admin\AppData\Roaming\830791230739248\8307912307.exe
Filesize
235KB

MD5
6ad37fb0ae1f564119c32ad238f5013e

SHA1
cd168d13400f213c11d2fb6f1517b998c21308be

SHA256
058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e

SHA512
977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2

Download Submit
memory/560-64-0x0000000000000000-mapping.dmp

Download
memory/640-65-0x0000000000000000-mapping.dmp

Download
memory/660-61-0x0000000000000000-mapping.dmp

Download
memory/900-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1696-67-0x0000000000000000-mapping.dmp

Download
memory/1880-66-0x0000000000000000-mapping.dmp

Download
memory/1900-69-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/1972-59-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x0000000000000000-mapping.dmp

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads