Resubmissions

02-02-2022 04:34

220202-e7kjqsgaam 9

02-02-2022 04:25

220202-e172fsgbh4 9

General

  • Target

    venecrypt.exe

  • Size

    9.1MB

  • Sample

    220202-e172fsgbh4

  • MD5

    96b561c72edc125a84af4bf37192b675

  • SHA1

    b59d17885948d4de933a8d727a00ed020829ffc0

  • SHA256

    79bd4886bde18afe23cc54920491023a659ed849d31e1c73155f810909995329

  • SHA512

    bb61cd8c58620bfb50bb0b25fe3ca1573d7e158f79cd5d9af61f03a207e2e1e2e43fa823b26625252856bb3b10b9ae973a70d1ebe5df2b71431d9cd3641b9809

Malware Config

Targets

    • Target

      venecrypt.exe

    • Size

      9.1MB

    • MD5

      96b561c72edc125a84af4bf37192b675

    • SHA1

      b59d17885948d4de933a8d727a00ed020829ffc0

    • SHA256

      79bd4886bde18afe23cc54920491023a659ed849d31e1c73155f810909995329

    • SHA512

      bb61cd8c58620bfb50bb0b25fe3ca1573d7e158f79cd5d9af61f03a207e2e1e2e43fa823b26625252856bb3b10b9ae973a70d1ebe5df2b71431d9cd3641b9809

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Tasks