Empowering Cyber Security Posture


Thanos Ransomware (COVID -19 Theme)

Sample Analysis:

Basic file info:

Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures.
  • Filename : winhost.exe (sample2.exe)
  • File Type : PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
  • MD5 : be60e389a0108b2871dff12dfbb542ac
  • ImpHash: f34d5f2d4577ed6d9ceec516c1f5a744
  • Family : Thanos attribution (targeted campaign sample)

Dropped files:

Files created / dropped by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox

The files that are targeted for encryption are DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

  • C:\Users\admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt
  • C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

Process Events:

Process's created by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox
  • "net.exe" stop avpsus /y
  • "net.exe" stop McAfeeDLPAgentService /y
  • "net.exe" stop mfewc /y
  • "net.exe" stop DefWatch /y
  • "net.exe" stop ccEvtMgr /y
  • "net.exe" stop ccSetMgr /y
  • "net.exe" stop SavRoam /y
  • "net.exe" stop RTVscan /y
  • "net.exe" stop QBFCService /y
  • "net.exe" stop QBIDPService /y
  • "net.exe" stop Intuit.QuickBooks.FCS /y
  • "net.exe" stop QBCFMonitorService /y
  • "net.exe" stop YooBackup /y
  • "net.exe" stop YooIT /y
  • "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • "cmd.exe" /C C:\Documents and Settings\Administrator\Local Settings\Temp\tmp2.bat
  • "taskkill.exe" /IM mspub.exe /F
  • "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  • "sc.exe" config SQLWriter start= disabled
  • "sc.exe" config SstpSvc start= disabled
  • "net.exe" stop AcronisAgent /y
  • "net.exe" stop PDVFSService /y

Registry Events:

Registry changes made by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
  • sample2.exe | write | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sample2_RASAPI32 | MaxFileSize| 1048576
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | AutoDetect | 1
  • sample2.exe | write | HKEY_CLASSES_ROOT\Local Settings\MuiCache\136\[email protected]%SystemRoot%\System32\fveui.dll,-843 | BitLocker Drive Encryption
  • sample2.exe | write | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sample2_RASAPI32FileDirectory | %windir%\tracing

Network Events:

Potential network connections made/attempted by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
  • 172.217.23.132:443

Dynamic Runtime:

Full malware runtime recorded inside Cyberstanc's Swatbox

sample2.exe (be60e389a0108b2871dff12dfbb542ac)

Mitre TTP's:

Hybrid analysis artifacts collected by Cyberstanc's Swatbox  are mapped to MITRE ATTACK framework
  • Obfuscated File (T1027)
  • Virtualization / Sandbox Checks (T1497)

Killchain Vectors:

Hybrid analysis artifacts collected by Cyberstanc's Swatbox  are mapped to potential killchain vectors that can be used to stop the execution of the malware
  • .Net 4.0 dependency
  • Encrypt data using AES

For detailed analysis of the sample please kindly download Swatbox's automated malware analysis report :

https://cyberstanc.com/uploads/eae911d2-863f-4d0e-b977-25761729a917/eae911d2-863f-4d0e-b977-25761729a917.pdf

Interested for more ?

Shoot us an email right away if you are interested in our products at [email protected]