Analysis
-
max time kernel
370s -
max time network
331s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
02-02-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
venecrypt.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
venecrypt.exe
Resource
win10v2004-en-20220112
General
-
Target
venecrypt.exe
-
Size
9.1MB
-
MD5
96b561c72edc125a84af4bf37192b675
-
SHA1
b59d17885948d4de933a8d727a00ed020829ffc0
-
SHA256
79bd4886bde18afe23cc54920491023a659ed849d31e1c73155f810909995329
-
SHA512
bb61cd8c58620bfb50bb0b25fe3ca1573d7e158f79cd5d9af61f03a207e2e1e2e43fa823b26625252856bb3b10b9ae973a70d1ebe5df2b71431d9cd3641b9809
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
venecrypt.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SwitchSend.tiff venecrypt.exe File opened for modification C:\Users\Admin\Pictures\CheckpointUnblock.tiff venecrypt.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
venecrypt.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion venecrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion venecrypt.exe -
Processes:
resource yara_rule behavioral2/memory/2176-134-0x00007FF65CF90000-0x00007FF65E796000-memory.dmp themida behavioral2/memory/2176-135-0x00007FF65CF90000-0x00007FF65E796000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
venecrypt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Povlsomware = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\venecrypt.exe\"" venecrypt.exe -
Processes:
venecrypt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA venecrypt.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
venecrypt.exepid process 2176 venecrypt.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vssvc.exevenecrypt.exedescription pid process Token: SeBackupPrivilege 3644 vssvc.exe Token: SeRestorePrivilege 3644 vssvc.exe Token: SeAuditPrivilege 3644 vssvc.exe Token: SeDebugPrivilege 2176 venecrypt.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
venecrypt.exepid process 2176 venecrypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\venecrypt.exe"C:\Users\Admin\AppData\Local\Temp\venecrypt.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2176-130-0x00007FFB00000000-0x00007FFB00002000-memory.dmpFilesize
8KB
-
memory/2176-131-0x00007FFB00030000-0x00007FFB00031000-memory.dmpFilesize
4KB
-
memory/2176-134-0x00007FF65CF90000-0x00007FF65E796000-memory.dmpFilesize
24.0MB
-
memory/2176-135-0x00007FF65CF90000-0x00007FF65E796000-memory.dmpFilesize
24.0MB
-
memory/2176-136-0x0000021CD54A0000-0x0000021CD54A2000-memory.dmpFilesize
8KB
-
memory/2176-137-0x0000021CD54A2000-0x0000021CD54A4000-memory.dmpFilesize
8KB