e909c555fe1eb48ad8f946b0cc27f05574e0b4baec0d623788a769e422a331bf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Thanos.exe
Size

6.9MB
MD5

505de66c51ee81ba2a62d990c6646965
SHA1

13a6230a5ea499501649e85d4d534fe958993353
SHA256

e909c555fe1eb48ad8f946b0cc27f05574e0b4baec0d623788a769e422a331bf
SHA512

d3c45dc1376c550caa5924bc38cc6fd55bb225018e6deaa948cf55676c40b45f78c82fba3944b2c83031eafaee9745c4dcecc89b30a4b6a824d8801d87044e21
SSDEEP

196608:8nh/7wd1W903eV4Q+tpDjIIAcwD0RPXvEkfsiALt:mwzW+eGQ69jo0jsJ5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	Thanos.exe

Loads dropped DLL 4 IoCs

pid	Process
3104	Thanos.exe
3104	Thanos.exe
3104	Thanos.exe
3104	Thanos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3104	4864	Thanos.exe	89
PID 4864 wrote to memory of 3104	4864	Thanos.exe	89
PID 3104 wrote to memory of 4812	3104	Thanos.exe	91
PID 3104 wrote to memory of 4812	3104	Thanos.exe	91
PID 3104 wrote to memory of 4364	3104	Thanos.exe	93
PID 3104 wrote to memory of 4364	3104	Thanos.exe	93
PID 3104 wrote to memory of 2564	3104	Thanos.exe	95
PID 3104 wrote to memory of 2564	3104	Thanos.exe	95
PID 3104 wrote to memory of 1600	3104	Thanos.exe	97
PID 3104 wrote to memory of 1600	3104	Thanos.exe	97
PID 3104 wrote to memory of 3416	3104	Thanos.exe	99
PID 3104 wrote to memory of 3416	3104	Thanos.exe	99
PID 3104 wrote to memory of 1360	3104	Thanos.exe	101
PID 3104 wrote to memory of 1360	3104	Thanos.exe	101
PID 3104 wrote to memory of 4932	3104	Thanos.exe	103
PID 3104 wrote to memory of 4932	3104	Thanos.exe	103
PID 3104 wrote to memory of 3648	3104	Thanos.exe	105
PID 3104 wrote to memory of 3648	3104	Thanos.exe	105
PID 3104 wrote to memory of 576	3104	Thanos.exe	107
PID 3104 wrote to memory of 576	3104	Thanos.exe	107
PID 3104 wrote to memory of 1744	3104	Thanos.exe	109
PID 3104 wrote to memory of 1744	3104	Thanos.exe	109
PID 3104 wrote to memory of 4940	3104	Thanos.exe	110
PID 3104 wrote to memory of 4940	3104	Thanos.exe	110
PID 3104 wrote to memory of 4664	3104	Thanos.exe	113
PID 3104 wrote to memory of 4664	3104	Thanos.exe	113
PID 3104 wrote to memory of 316	3104	Thanos.exe	115
PID 3104 wrote to memory of 316	3104	Thanos.exe	115
PID 4812 wrote to memory of 3892	4812	cmd.exe	117
PID 4812 wrote to memory of 3892	4812	cmd.exe	117
PID 4364 wrote to memory of 5088	4364	cmd.exe	118
PID 4364 wrote to memory of 5088	4364	cmd.exe	118
PID 2564 wrote to memory of 3316	2564	cmd.exe	119
PID 2564 wrote to memory of 3316	2564	cmd.exe	119
PID 1600 wrote to memory of 4212	1600	cmd.exe	120
PID 1600 wrote to memory of 4212	1600	cmd.exe	120
PID 576 wrote to memory of 2184	576	cmd.exe	121
PID 576 wrote to memory of 2184	576	cmd.exe	121
PID 3416 wrote to memory of 3192	3416	cmd.exe	122
PID 3416 wrote to memory of 3192	3416	cmd.exe	122
PID 4932 wrote to memory of 4800	4932	cmd.exe	123
PID 4932 wrote to memory of 4800	4932	cmd.exe	123
PID 1360 wrote to memory of 1204	1360	cmd.exe	124
PID 1360 wrote to memory of 1204	1360	cmd.exe	124
PID 4940 wrote to memory of 5104	4940	cmd.exe	125
PID 4940 wrote to memory of 5104	4940	cmd.exe	125
PID 4664 wrote to memory of 3296	4664	cmd.exe	126
PID 4664 wrote to memory of 3296	4664	cmd.exe	126
PID 3648 wrote to memory of 2588	3648	cmd.exe	127
PID 3648 wrote to memory of 2588	3648	cmd.exe	127
PID 316 wrote to memory of 2924	316	cmd.exe	128
PID 316 wrote to memory of 2924	316	cmd.exe	128
PID 1744 wrote to memory of 4128	1744	cmd.exe	129
PID 1744 wrote to memory of 4128	1744	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\Thanos.exe
"C:\Users\Admin\AppData\Local\Temp\Thanos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\Thanos.exe
  "C:\Users\Admin\AppData\Local\Temp\Thanos.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\mode.com
      mode 160,50
      4⤵
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thanos-Crasher\Crasher.bat

Filesize
10KB

MD5
ff257f113154e5a3b9fb52e5a52dd8c9

SHA1
a5c44efee254b8a468050adcfbf68b2ba9c6a946

SHA256
69543a5a5df318d3c4602faffccde3dc7162ecee0f1f57e3eae1b780b96af93e

SHA512
28a0f702f45eec2239d4e10177141fdb8f8f8fb00b4d44c803fd1de7348c522e44649e7abefcaa66b9d3f770e19d2843b3c0b9622d14946dc694c09aaf5bdd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\_bz2.pyd

Filesize
82KB

MD5
c7ce973f261f698e3db148ccad057c96

SHA1
59809fd48e8597a73211c5df64c7292c5d120a10

SHA256
02d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde

SHA512
a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\_decimal.pyd

Filesize
247KB

MD5
21c73e7e0d7dad7a1fe728e3b80ce073

SHA1
7b363af01e83c05d0ea75299b39c31d948bbfe01

SHA256
a28c543976aa4b6d37da6f94a280d72124b429f458d0d57b7dbcf71b4bea8f73

SHA512
0357102bffc2ec2bc6ff4d9956d6b8e77ed8558402609e558f1c1ebc1baca6aeaa5220a7781a69b783a54f3e76362d1f74d817e4ee22aac16c7f8c86b6122390

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\_hashlib.pyd

Filesize
63KB

MD5
f495d1897a1b52a2b15c20dcecb84b47

SHA1
8cb65590a8815bda58c86613b6386b5982d9ec3f

SHA256
e47e76d70d508b62924fe480f30e615b12fdd7745c0aac68a2cddabd07b692ae

SHA512
725d408892887bebd5bcf040a0ecc6a4e4b608815b9dea5b6f7b95c812715f82079896df33b0830c9f787ffe149b8182e529bb1f78aadd89df264cf8853ee4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\_lzma.pyd

Filesize
155KB

MD5
4e2239ece266230ecb231b306adde070

SHA1
e807a078b71c660db10a27315e761872ffd01443

SHA256
34130d8abe27586ee315262d69af4e27429b7eab1f3131ea375c2bb62cf094be

SHA512
86e6a1eab3529e600dd5caab6103e34b0f618d67322a5ecf1b80839faa028150c492a5cf865a2292cc8584fba008955da81a50b92301583424401d249c5f1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\_socket.pyd

Filesize
81KB

MD5
899380b2d48df53414b974e11bb711e3

SHA1
f1d11f7e970a7cd476e739243f8f197fcb3ad590

SHA256
b38e66e6ee413e5955ef03d619cadd40fca8be035b43093d2342b6f3739e883e

SHA512
7426ca5e7a404b9628e2966dae544f3e8310c697145567b361825dc0b5c6cd87f2caf567def8cd19e73d68643f2f38c08ff4ff0bb0a459c853f241b8fdf40024

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\base_library.zip

Filesize
1.3MB

MD5
4cd74e70336c96f7172a114dfa74eb25

SHA1
4d96748b2221857d3698499597884ae0ea639ee3

SHA256
1e5198462510015a5b855ea01e287fa9d765be4357cba60cfedafb9b1b33bdf4

SHA512
9cd4e846aadfe79d086ce285e9dd58f241f67791a9b87c327852676f3c3f543832032de1dd6bac33f268bd782c2fd30fce49e4262da8ff052bc3f4684057dba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\libcrypto-3.dll

Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\python312.dll

Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\select.pyd

Filesize
30KB

MD5
bffff83a000baf559f3eb2b599a1b7e8

SHA1
7f9238bda6d0c7cc5399c6b6ab3b42d21053f467

SHA256
bc71fbdfd1441d62dd86d33ff41b35dc3cc34875f625d885c58c8dc000064dab

SHA512
3c0ba0cf356a727066ae0d0d6523440a882aafb3ebdf70117993effd61395deebf179948f8c7f5222d59d1ed748c71d9d53782e16bd2f2eccc296f2f8b4fc948

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48642\unicodedata.pyd

Filesize
1.1MB

MD5
a1388676824ce6347d31d6c6a7a1d1b5

SHA1
27dd45a5c9b7e61bb894f13193212c6d5668085b

SHA256
2480a78815f619a631210e577e733c9bafecb7f608042e979423c5850ee390ff

SHA512
26ea1b33f14f08bb91027e0d35ac03f6203b4dfeee602bb592c5292ab089b27ff6922da2804a9e8a28e47d4351b32cf93445d894f00b4ad6e2d0c35c6c7f1d89

Download Submit