Analysis
-
max time kernel
606s -
max time network
600s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
02-02-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
venecrypt.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
venecrypt.exe
Resource
win10v2004-en-20220112
General
-
Target
venecrypt.exe
-
Size
9.1MB
-
MD5
96b561c72edc125a84af4bf37192b675
-
SHA1
b59d17885948d4de933a8d727a00ed020829ffc0
-
SHA256
79bd4886bde18afe23cc54920491023a659ed849d31e1c73155f810909995329
-
SHA512
bb61cd8c58620bfb50bb0b25fe3ca1573d7e158f79cd5d9af61f03a207e2e1e2e43fa823b26625252856bb3b10b9ae973a70d1ebe5df2b71431d9cd3641b9809
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
venecrypt.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnableAssert.tiff venecrypt.exe File opened for modification C:\Users\Admin\Pictures\EnterRestore.tiff venecrypt.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
venecrypt.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion venecrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion venecrypt.exe -
Processes:
resource yara_rule behavioral1/memory/1032-59-0x000000013F8E0000-0x00000001410E6000-memory.dmp themida behavioral1/memory/1032-61-0x000000013F8E0000-0x00000001410E6000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
venecrypt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Povlsomware = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\venecrypt.exe\"" venecrypt.exe -
Processes:
venecrypt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA venecrypt.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
venecrypt.exepid process 1032 venecrypt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 604 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exevssvc.exevenecrypt.exedescription pid process Token: SeDebugPrivilege 604 taskmgr.exe Token: SeBackupPrivilege 1864 vssvc.exe Token: SeRestorePrivilege 1864 vssvc.exe Token: SeAuditPrivilege 1864 vssvc.exe Token: SeDebugPrivilege 1032 venecrypt.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe 604 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
venecrypt.exepid process 1032 venecrypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\venecrypt.exe"C:\Users\Admin\AppData\Local\Temp\venecrypt.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/604-63-0x0000000002C10000-0x0000000002C20000-memory.dmpFilesize
64KB
-
memory/1032-55-0x0000000000010000-0x00000000000E1000-memory.dmpFilesize
836KB
-
memory/1032-56-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/1032-59-0x000000013F8E0000-0x00000001410E6000-memory.dmpFilesize
24.0MB
-
memory/1032-61-0x000000013F8E0000-0x00000001410E6000-memory.dmpFilesize
24.0MB
-
memory/1032-64-0x00000000020C0000-0x00000000020C2000-memory.dmpFilesize
8KB
-
memory/1032-65-0x00000000020C6000-0x00000000020E5000-memory.dmpFilesize
124KB
-
memory/1032-66-0x00000000020E5000-0x00000000020E6000-memory.dmpFilesize
4KB
-
memory/1648-60-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmpFilesize
8KB