Analysis
-
max time kernel
113s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-de -
resource tags
arch:x64arch:x86image:win10v2004-20220812-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
28-10-2022 12:22
Behavioral task
behavioral1
Sample
Thor.iso
Resource
win10v2004-20220812-de
5 signatures
1800 seconds
General
-
Target
Thor.iso
-
Size
95.3MB
-
MD5
d4518b96caa3986189662761582750c7
-
SHA1
5e1853b44723667e3ed475935f72e51ee1170251
-
SHA256
122ed45736c260b07f44e7d568646c3e96dee95f7db6e59a0d336a8d885d2892
-
SHA512
2bcbc6e686f26495556e4ec3fa3226f3cb267e491cf1eabf59cb0ccb5b7c080557d96df80f6dc400d711a62643cf873fa3705d7c7479bc040e3cf0d7fa1c3154
-
SSDEEP
786432:AnNlnAhhwt8XEyXJ9SOyh16MlEY2/AbQ:AnNlnAhhwG7Jah1d2IM
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3332 4072 WerFault.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
thor64-lite.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 thor64-lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier thor64-lite.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
cmd.exethor64-lite.exedescription pid process Token: SeManageVolumePrivilege 4772 cmd.exe Token: SeManageVolumePrivilege 4772 cmd.exe Token: SeDebugPrivilege 4408 thor64-lite.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Thor.iso1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 4072 -ip 40721⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4072 -s 24721⤵
- Program crash
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\thor\thor64-lite.exe"C:\Users\Admin\Desktop\thor\thor64-lite.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken