Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
86s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16/07/2021, 20:31
Static task
static1
Behavioral task
behavioral1
Sample
venus.bin.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
venus.bin.exe
-
Size
137KB
-
MD5
9aa3cc9d7c641ea22cfa3e5233e13c94
-
SHA1
1970f6c17567d56c3e7840fe33a6959dd887fca2
-
SHA256
49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71
-
SHA512
ef87881534199c3eac630883701b86ac21e6143a61b2224c39421b23bf5d9a59b8b1b868becf8632582451d709be46c944359bbd132b75ec9591a5382b098e0c
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1848 venus.bin.exe -
Deletes itself 1 IoCs
pid Process 1764 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\venus.bin.exe = "C:\\Windows\\venus.bin.exe" venus.bin.exe -
Drops desktop.ini file(s) 23 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Links\desktop.ini venus.bin.exe File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini venus.bin.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini venus.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini venus.bin.exe File opened for modification C:\Program Files (x86)\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Documents\desktop.ini venus.bin.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini venus.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini venus.bin.exe File opened for modification C:\Program Files\desktop.ini venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI venus.bin.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini venus.bin.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: venus.bin.exe File opened (read-only) \??\F: venus.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts2.css venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00732_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT venus.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FORM.ICO venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg venus.bin.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc venus.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DissolveNoise.png venus.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88 venus.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SHARING.CFG venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize venus.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll venus.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js venus.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01354_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18198_.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.REST.IDX_DLL venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITL.ICO venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar venus.bin.exe File opened for modification C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll venus.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\hxdsui.dll venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML venus.bin.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaosp.dll venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanResume.Dotx venus.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182898.WMF venus.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OutDomain.ico venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml venus.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi venus.bin.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\handsafe.reg venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV venus.bin.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets venus.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar venus.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187859.WMF venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Process Library.fdt venus.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png venus.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar venus.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll venus.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png venus.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe venus.bin.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\venus.bin.exe venus.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1852 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1808 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1848 venus.bin.exe Token: SeTcbPrivilege 1848 venus.bin.exe Token: SeDebugPrivilege 1852 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1848 venus.bin.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1848 venus.bin.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1116 wrote to memory of 1848 1116 venus.bin.exe 26 PID 1116 wrote to memory of 1848 1116 venus.bin.exe 26 PID 1116 wrote to memory of 1848 1116 venus.bin.exe 26 PID 1116 wrote to memory of 1848 1116 venus.bin.exe 26 PID 1116 wrote to memory of 1764 1116 venus.bin.exe 27 PID 1116 wrote to memory of 1764 1116 venus.bin.exe 27 PID 1116 wrote to memory of 1764 1116 venus.bin.exe 27 PID 1116 wrote to memory of 1764 1116 venus.bin.exe 27 PID 1764 wrote to memory of 1808 1764 cmd.exe 29 PID 1764 wrote to memory of 1808 1764 cmd.exe 29 PID 1764 wrote to memory of 1808 1764 cmd.exe 29 PID 1848 wrote to memory of 928 1848 venus.bin.exe 35 PID 1848 wrote to memory of 928 1848 venus.bin.exe 35 PID 1848 wrote to memory of 928 1848 venus.bin.exe 35 PID 1848 wrote to memory of 928 1848 venus.bin.exe 35 PID 928 wrote to memory of 1852 928 cmd.exe 37 PID 928 wrote to memory of 1852 928 cmd.exe 37 PID 928 wrote to memory of 1852 928 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\venus.bin.exe"C:\Users\Admin\AppData\Local\Temp\venus.bin.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\venus.bin.exe"C:\Windows\venus.bin.exe" g g g o n e1232⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\System32\cmd.exe/C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe3⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\taskkill.exetaskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
-
C:\Windows\System32\cmd.exe/C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE3⤵PID:3876
-
-
-
C:\Windows\System32\cmd.exe/c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\venus.bin.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\PING.EXEping localhost -n 33⤵
- Runs ping.exe
PID:1808
-
-