General
-
Target
https://mega.nz/file/9oYFjCZA#ChQlTD2yXk-a0E8r1dywSIfxnRiaxkvwtfccnwYyc0A
-
Sample
241108-v1g32awdld
Malware Config
Targets
-
-
Target
https://mega.nz/file/9oYFjCZA#ChQlTD2yXk-a0E8r1dywSIfxnRiaxkvwtfccnwYyc0A
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Disables service(s)
-
Modifies Windows Defender Real-time Protection settings
-
Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
-
Thanos executable
-
Thanos family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Windows security modification
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Network Service Discovery
Attempt to gather information on host's network.
-
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Direct Volume Access
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
3Discovery
Browser Information Discovery
1Network Service Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1