79bd4886bde18afe23cc54920491023a659ed849d31e1c73155f810909995329

Resubmissions

02-02-2022 04:34

220202-e7kjqsgaam 9

02-02-2022 04:25

220202-e172fsgbh4 9

Analysis

max time kernel
370s
max time network
331s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
02-02-2022 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

venecrypt.exe
Size

9.1MB
MD5

96b561c72edc125a84af4bf37192b675
SHA1

b59d17885948d4de933a8d727a00ed020829ffc0
SHA256

79bd4886bde18afe23cc54920491023a659ed849d31e1c73155f810909995329
SHA512

bb61cd8c58620bfb50bb0b25fe3ca1573d7e158f79cd5d9af61f03a207e2e1e2e43fa823b26625252856bb3b10b9ae973a70d1ebe5df2b71431d9cd3641b9809

Score

9^/10

evasion persistence ransomware themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

venecrypt.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SwitchSend.tiff	venecrypt.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointUnblock.tiff	venecrypt.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

venecrypt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	venecrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	venecrypt.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2176-134-0x00007FF65CF90000-0x00007FF65E796000-memory.dmp	themida
behavioral2/memory/2176-135-0x00007FF65CF90000-0x00007FF65E796000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

venecrypt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Povlsomware = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\venecrypt.exe\""	venecrypt.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

venecrypt.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA venecrypt.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

venecrypt.exe

pid process

2176 venecrypt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	venecrypt.exe

pid	process
2176	venecrypt.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exevenecrypt.exe

description	pid	process
Token: SeBackupPrivilege	3644	vssvc.exe
Token: SeRestorePrivilege	3644	vssvc.exe
Token: SeAuditPrivilege	3644	vssvc.exe
Token: SeDebugPrivilege	2176	venecrypt.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

venecrypt.exe

pid process

2176 venecrypt.exe

pid	process
2176	venecrypt.exe

C:\Users\Admin\AppData\Local\Temp\venecrypt.exe
"C:\Users\Admin\AppData\Local\Temp\venecrypt.exe"
1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3248

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2176-130-0x00007FFB00000000-0x00007FFB00002000-memory.dmp

Filesize
8KB

Download
memory/2176-131-0x00007FFB00030000-0x00007FFB00031000-memory.dmp

Filesize
4KB

Download
memory/2176-134-0x00007FF65CF90000-0x00007FF65E796000-memory.dmp

Filesize
24.0MB

Download
memory/2176-135-0x00007FF65CF90000-0x00007FF65E796000-memory.dmp

Filesize
24.0MB

Download
memory/2176-136-0x0000021CD54A0000-0x0000021CD54A2000-memory.dmp

Filesize
8KB

Download
memory/2176-137-0x0000021CD54A2000-0x0000021CD54A4000-memory.dmp

Filesize
8KB

Download