| File name: | Ransomware.Thanos.zip |
| Full analysis: | https://app.any.run/tasks/1cc64a35-0683-4dc7-9332-ad57652edea8 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | November 01, 2024, 16:15:41 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 00184463F3B071369D60353C692BE6F0 |
| SHA1: | D3C1E90F39DA2997EF4888B54D706B1A1FDE642A |
| SHA256: | CD0F55DD00111251CD580C7E7CC1D17448FAF27E4EF39818D75CE330628C7787 |
| SSDEEP: | 3072:fn8L7y+NJQpRhkU0kbH2PNo/1GjTqOncYIOSsk:f8L7xNJQFzCo/ojTqOnYD |
MALICIOUS
Starts NET.EXE for service management
- 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe (PID: 6296)
- net.exe (PID: 7128)
- net.exe (PID: 4208)
- net.exe (PID: 2272)
- net.exe (PID: 6952)
- net.exe (PID: 6204)
- net.exe (PID: 5792)
- net.exe (PID: 7120)
- net.exe (PID: 2928)
- net.exe (PID: 528)
- net.exe (PID: 6312)
- net.exe (PID: 3916)
- net.exe (PID: 1500)
- net.exe (PID: 7372)
- net.exe (PID: 4376)
- net.exe (PID: 3076)
- net.exe (PID: 6716)
- net.exe (PID: 3020)
- net.exe (PID: 4680)
- net.exe (PID: 7336)
- net.exe (PID: 5524)
- net.exe (PID: 6212)
- net.exe (PID: 7424)
- net.exe (PID: 7408)
- net.exe (PID: 7572)
- net.exe (PID: 7612)
- net.exe (PID: 7628)
- net.exe (PID: 7528)
- net.exe (PID: 7440)
- net.exe (PID: 7388)
- net.exe (PID: 7360)
- net.exe (PID: 4144)
- net.exe (PID: 3580)
- net.exe (PID: 2444)
- net.exe (PID: 6876)
- net.exe (PID: 7164)
- net.exe (PID: 7088)
Ransomware note has been found
- notepad.exe (PID: 8156)
- notepad.exe (PID: 6856)
Starts CMD.EXE for self-deleting
- 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe (PID: 6296)
SUSPICIOUS
Uses TASKKILL.EXE to kill process
- 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe (PID: 6296)
Executing commands from a ".bat" file
- 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe (PID: 6296)
Starts CMD.EXE for commands execution
- 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe (PID: 6296)
Start notepad (likely ransomware note)
- 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe (PID: 6296)
Hides command output
- cmd.exe (PID: 8872)
Sets range of bytes to zero
- fsutil.exe (PID: 8412)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 616)
Manual execution by a user
- 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe (PID: 6296)
- notepad.exe (PID: 6856)
- msedge.exe (PID: 7756)
- Taskmgr.exe (PID: 6812)
- Taskmgr.exe (PID: 3108)
Application launched itself
- msedge.exe (PID: 7756)
- msedge.exe (PID: 6604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 788 |
|---|---|
| ZipBitFlag: | 0x0001 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2020:09:11 10:46:34 |
| ZipCRC: | 0xc1793c10 |
| ZipCompressedSize: | 35715 |
| ZipUncompressedSize: | 84480 |
| ZipFileName: | 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f |
Total processes
334
Monitored processes
198
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 528 | "net.exe" stop zhudongfangyu /y | C:\Windows\SysWOW64\net.exe | — | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 616 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Ransomware.Thanos.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 712 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 864 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 864 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 944 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1084 | "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3432 --field-trial-handle=2376,i,7972445495524969132,2212689838805624927,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: PWA Identity Proxy Host Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1336 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7608 --field-trial-handle=2384,i,6461643753110050369,14349790554135016324,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1500 | "net.exe" stop VeeamDeploymentService /y | C:\Windows\SysWOW64\net.exe | — | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1572 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
14 643
Read events
14 558
Write events
71
Delete events
14
Modification events
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Ransomware.Thanos.zip | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | delete value | Name: | 15 |
Value: | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | delete value | Name: | 14 |
Value: | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | delete value | Name: | 13 |
Value: | |||
| (PID) Process: | (616) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | delete value | Name: | 12 |
Value: | |||
Executable files
32
Suspicious files
621
Text files
151
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 616 | WinRAR.exe | C:\Users\admin\Desktop\Ransomware.Thanos\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d | executable | |
MD5:BE60E389A0108B2871DFF12DFBB542AC | SHA256:5D40615701C48A122E44F831E7C8643D07765629A83B15D090587F469C77693D | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\Pictures\patientshe.jpg.locked | binary | |
MD5:2138F99E1BFD22F5BD490DD7A0B73014 | SHA256:507EE3D672C726AA52E74946E6D418A94ADE007B6D36A313E07EA0D7C20CAC4F | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\Pictures\yorkhad.jpg.locked | binary | |
MD5:5C548507BAE605F9D16245E57567EF66 | SHA256:FBB1C3CE7EC814C45074E7258C99E1D2CAAF9ABED39F98097C00601BAC6939FD | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\Pictures\footballquote.png.locked | binary | |
MD5:4EE47D13E11C033DC84D3AC9DC86FACE | SHA256:12B06A53AAC13CD1B5890CD92C05DED9439FB459D24FC434D1DC065AB49BD3DB | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt | text | |
MD5:E98550408B77A1E4047C1E6BFE04FF32 | SHA256:1D137EFE19F6D8E639A80C45DAB82B15E03E6E3E1CBF735BE2078D9162705952 | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\Documents\federalactivities.rtf.locked | binary | |
MD5:EB9CB4EB37E153B6CBBDDC716D59436F | SHA256:9F37420089BD948364CF281A0D4D1CD1A6A81FEB7E4E42AEA41C64C544465261 | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\Downloads\dvdsresearch.png.locked | binary | |
MD5:5A2872FC93C819B1E11FC95622D667F8 | SHA256:7125C53D39D615508A57DC937E1C59D472A187B8A82DA459E9EB7EE4D09EC308 | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\Documents\morningannouncements.rtf.locked | binary | |
MD5:63EE21FB94B6C1459A02F7514839376C | SHA256:F9C2CFC346E7BF32BAEB97D06A11E4EE50FCD8C2C2290233C9B905DDF3C5DB2C | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\Documents\itsscreen.rtf.locked | binary | |
MD5:10333484CC343251D5AEBCFD139E9A8E | SHA256:C0D470BD676DF1F6612E7AD19EBA2D00CE5A419726488E971FE4F4BCDD8D542A | |||
| 6296 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe | C:\Users\admin\Documents\Database1.accdb.locked | binary | |
MD5:8C6D1C79C1B651747165C54D13083A55 | SHA256:821845BF62A220DB4FC8B41063460FD89B90EE5CDC7E33E1AA683F66E8B30BEF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
153
DNS requests
164
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5488 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.32.185.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.32.185.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.32.185.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4360 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
4700 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
2376 | SIHClient.exe | GET | 200 | 23.32.185.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4236 | svchost.exe | HEAD | 200 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/181d62d0-8e71-4ab0-b6f0-62f746749689?P1=1730979215&P2=404&P3=2&P4=gVP39e1zQg83f9W7KjDlb0ZUk5XW%2bu5frt7qNcrU8qFbZbaAB0tpYsoN%2b%2f%2fbyUwLiH2t5jGF0Y9OtlDQIVlScw%3d%3d | unknown | — | — | whitelisted |
2376 | SIHClient.exe | GET | 200 | 23.32.185.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5488 | MoUsoCoreWorker.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6944 | svchost.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.32.185.131:80 | www.microsoft.com | AKAMAI-AS | BR | whitelisted |
— | — | 23.32.185.131:80 | www.microsoft.com | AKAMAI-AS | BR | whitelisted |
6944 | svchost.exe | 23.32.185.131:80 | www.microsoft.com | AKAMAI-AS | BR | whitelisted |
4020 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
th.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |