Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

16/07/2021, 20:31

210716-aha97gbkys 8

21/05/2021, 08:56

210521-hzf81r96xs 9

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21/05/2021, 08:56

General

  • Target

    venus.bin.exe

  • Size

    137KB

  • MD5

    9aa3cc9d7c641ea22cfa3e5233e13c94

  • SHA1

    1970f6c17567d56c3e7840fe33a6959dd887fca2

  • SHA256

    49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71

  • SHA512

    ef87881534199c3eac630883701b86ac21e6143a61b2224c39421b23bf5d9a59b8b1b868becf8632582451d709be46c944359bbd132b75ec9591a5382b098e0c

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 22 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\venus.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\venus.bin.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\venus.bin.exe
      "C:\Windows\venus.bin.exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
    • C:\Windows\System32\cmd.exe
      /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\venus.bin.exe
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\system32\PING.EXE
        ping localhost -n 3
        3⤵
        • Runs ping.exe
        PID:1328
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnregisterUninstall.vssx
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnregisterUninstall.vssx
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1052

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/980-65-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

    Filesize

    8KB

  • memory/1064-59-0x00000000757C1000-0x00000000757C3000-memory.dmp

    Filesize

    8KB