Overview
overview
10Static
static
1058bfb9fa88...1f.exe
windows7-x64
58bfb9fa88...1f.exe
windows10-2004-x64
105d40615701...3d.exe
windows7-x64
105d40615701...3d.exe
windows10-2004-x64
10ae66e009e1...75.exe
windows7-x64
ae66e009e1...75.exe
windows10-2004-x64
c460fc0d4f...50.exe
windows7-x64
c460fc0d4f...50.exe
windows10-2004-x64
10General
-
Target
Ransomware.Thanos.zip
-
Size
145KB
-
Sample
240629-yybd9avdrf
-
MD5
00184463f3b071369d60353c692be6f0
-
SHA1
d3c1e90f39da2997ef4888b54d706b1a1fde642a
-
SHA256
cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787
-
SHA512
baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006
-
SSDEEP
3072:fn8L7y+NJQpRhkU0kbH2PNo/1GjTqOncYIOSsk:f8L7xNJQFzCo/ojTqOnYD
Behavioral task
behavioral1
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win10v2004-20240611-en
Malware Config
Targets
-
-
Target
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
-
Size
82KB
-
MD5
e01e11dca5e8b08fc8231b1cb6e2048c
-
SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a
-
SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
-
SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de
-
SSDEEP
1536:PcW4lAJGGnzjoih/NDh/NDuk+XkGAK/hztXcag+PlbBfkWIyvZrw281r5XsmCZEe:UWNGszjoih/NDh/NDuk+XkGAK/hztXcQ
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Impair Defenses: Safe Mode Boot
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
-
-
Target
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
-
Size
91KB
-
MD5
be60e389a0108b2871dff12dfbb542ac
-
SHA1
14b4e0bfac64ec0f837f84ab1780ca7ced8d670d
-
SHA256
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
-
SHA512
6051bec441434a80c34ee2752a3da9c3a0307cd1b551aa27a0f7f6f75b9bf64b172745d80f03eea054a03ebd2c493df21fd48d8fa3b706d46a6f7fee0e7c0641
-
SSDEEP
1536:QguHLgeS6umiCp31W4qYXgsLlOqrgB9GpF7LXdarTkCAKL5dsluhtvM4CoLT6QPg:D6seqCp31Hgsp9a9GTrda8CAKLTsWkyI
Score10/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75
-
Size
100KB
-
MD5
03b76a5130d0df8134a6bdea7fe97bcd
-
SHA1
60053d661ed03cd2a07f6750532e6ef11abcc4e5
-
SHA256
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75
-
SHA512
d82eb0858819fc50b28910dfe8d537c8e7b0f34bc8953e48e7799b55ffe9320775df38c0ae38420808a0ddd84ea0d0c6b989b4348fcac52bbf2d1af7777091b8
-
SSDEEP
3072:P6seqCp31Hgsp9a9GTrda8CAKLTsWkyc:CqCp31Z9a9GTrk8CV/t
Score1/10 -
-
-
Target
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
-
Size
87KB
-
MD5
d6d956267a268c9dcf48445629d2803e
-
SHA1
cc0feae505dad9c140dd21d1b40b518d8e61b3a4
-
SHA256
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
-
SHA512
e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee
-
SSDEEP
1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPbc:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkr
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Defense Evasion
Direct Volume Access
1Impair Defenses
3Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
6