Overview

overview

9

Static

static

7

venecrypt.exe

windows7_x64

9

venecrypt.exe

windows10-2004_x64

9

Resubmissions

02-02-2022 04:34

220202-e7kjqsgaam 9

02-02-2022 04:25

220202-e172fsgbh4 9

Analysis

  • max time kernel
    606s
  • max time network
    600s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    02-02-2022 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    venecrypt.exe

  • Size

    9.1MB

  • MD5

    96b561c72edc125a84af4bf37192b675

  • SHA1

    b59d17885948d4de933a8d727a00ed020829ffc0

  • SHA256

    79bd4886bde18afe23cc54920491023a659ed849d31e1c73155f810909995329

  • SHA512

    bb61cd8c58620bfb50bb0b25fe3ca1573d7e158f79cd5d9af61f03a207e2e1e2e43fa823b26625252856bb3b10b9ae973a70d1ebe5df2b71431d9cd3641b9809

Score
9/10
evasionpersistenceransomwarethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\venecrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\venecrypt.exe"
    1⤵
    • Modifies extensions of user files
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1032
  • C:\Windows\system32\verclsid.exe
    "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
    1⤵
      PID:1648
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:604
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1864

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/604-63-0x0000000002C10000-0x0000000002C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1032-55-0x0000000000010000-0x00000000000E1000-memory.dmp
      Filesize

      836KB

      Download
    • memory/1032-56-0x000007FE80010000-0x000007FE80011000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1032-59-0x000000013F8E0000-0x00000001410E6000-memory.dmp
      Filesize

      24.0MB

      Download
    • memory/1032-61-0x000000013F8E0000-0x00000001410E6000-memory.dmp
      Filesize

      24.0MB

      Download
    • memory/1032-64-0x00000000020C0000-0x00000000020C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1032-65-0x00000000020C6000-0x00000000020E5000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1032-66-0x00000000020E5000-0x00000000020E6000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1648-60-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp
      Filesize

      8KB

      Download