Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-05-2021 08:56
Static task
static1
Behavioral task
behavioral1
Sample
venus.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
venus.bin.exe
Resource
win10v20210410
General
-
Target
venus.bin.exe
-
Size
137KB
-
MD5
9aa3cc9d7c641ea22cfa3e5233e13c94
-
SHA1
1970f6c17567d56c3e7840fe33a6959dd887fca2
-
SHA256
49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71
-
SHA512
ef87881534199c3eac630883701b86ac21e6143a61b2224c39421b23bf5d9a59b8b1b868becf8632582451d709be46c944359bbd132b75ec9591a5382b098e0c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
venus.bin.exepid process 1596 venus.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1692 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
venus.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\venus.bin.exe = "C:\\Windows\\venus.bin.exe" venus.bin.exe -
Drops desktop.ini file(s) 22 IoCs
Processes:
venus.bin.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini venus.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini venus.bin.exe File opened for modification C:\Program Files\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini venus.bin.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini venus.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini venus.bin.exe File opened for modification C:\Program Files (x86)\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Documents\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini venus.bin.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
venus.bin.exedescription ioc process File opened (read-only) \??\E: venus.bin.exe File opened (read-only) \??\F: venus.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
venus.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles venus.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png venus.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.ELM venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06102_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF venus.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\RTF_BOLD.GIF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Installed_resources14.xss venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\PROCDB.XLAM venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SOA.DLL venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02448_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Civic.eftx venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB10.BDR venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html venus.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js venus.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLL venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar venus.bin.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe venus.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.GIF venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left.gif venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.DPV venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf venus.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png venus.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll venus.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png venus.bin.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll venus.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png venus.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALHM.POC venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF venus.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak venus.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Solstice.eftx venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png venus.bin.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15273_.GIF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS venus.bin.exe -
Drops file in Windows directory 1 IoCs
Processes:
venus.bin.exedescription ioc process File created C:\Windows\venus.bin.exe venus.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1940 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1052 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
venus.bin.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1596 venus.bin.exe Token: SeTcbPrivilege 1596 venus.bin.exe Token: SeDebugPrivilege 1940 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
venus.bin.exepid process 1596 venus.bin.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
venus.bin.exepid process 1596 venus.bin.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
venus.bin.execmd.exerundll32.exevenus.bin.execmd.exedescription pid process target process PID 1064 wrote to memory of 1596 1064 venus.bin.exe venus.bin.exe PID 1064 wrote to memory of 1596 1064 venus.bin.exe venus.bin.exe PID 1064 wrote to memory of 1596 1064 venus.bin.exe venus.bin.exe PID 1064 wrote to memory of 1596 1064 venus.bin.exe venus.bin.exe PID 1064 wrote to memory of 1692 1064 venus.bin.exe cmd.exe PID 1064 wrote to memory of 1692 1064 venus.bin.exe cmd.exe PID 1064 wrote to memory of 1692 1064 venus.bin.exe cmd.exe PID 1064 wrote to memory of 1692 1064 venus.bin.exe cmd.exe PID 1692 wrote to memory of 1328 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 1328 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 1328 1692 cmd.exe PING.EXE PID 980 wrote to memory of 1052 980 rundll32.exe NOTEPAD.EXE PID 980 wrote to memory of 1052 980 rundll32.exe NOTEPAD.EXE PID 980 wrote to memory of 1052 980 rundll32.exe NOTEPAD.EXE PID 1596 wrote to memory of 1688 1596 venus.bin.exe cmd.exe PID 1596 wrote to memory of 1688 1596 venus.bin.exe cmd.exe PID 1596 wrote to memory of 1688 1596 venus.bin.exe cmd.exe PID 1596 wrote to memory of 1688 1596 venus.bin.exe cmd.exe PID 1688 wrote to memory of 1940 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 1940 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 1940 1688 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\venus.bin.exe"C:\Users\Admin\AppData\Local\Temp\venus.bin.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\venus.bin.exe"C:\Windows\venus.bin.exe" g g g o n e1232⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe/C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe/c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\venus.bin.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnregisterUninstall.vssx1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnregisterUninstall.vssx2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\venus.bin.exeMD5
9aa3cc9d7c641ea22cfa3e5233e13c94
SHA11970f6c17567d56c3e7840fe33a6959dd887fca2
SHA25649fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71
SHA512ef87881534199c3eac630883701b86ac21e6143a61b2224c39421b23bf5d9a59b8b1b868becf8632582451d709be46c944359bbd132b75ec9591a5382b098e0c
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/980-65-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB
-
memory/1052-67-0x0000000000000000-mapping.dmp
-
memory/1064-59-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1328-64-0x0000000000000000-mapping.dmp
-
memory/1596-60-0x0000000000000000-mapping.dmp
-
memory/1688-69-0x0000000000000000-mapping.dmp
-
memory/1692-62-0x0000000000000000-mapping.dmp
-
memory/1940-70-0x0000000000000000-mapping.dmp