Overview

overview

10

Static

static

ee036f333a...6b.exe

windows7-x64

8

ee036f333a...6b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe

  • Size

    225KB

  • Sample

    221018-fbq73seee5

  • MD5

    0e8476b3c4099a42baca7f16ca8253e6

  • SHA1

    e044edce8646124ddc39906e6fb6f02eaff16161

  • SHA256

    ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b

  • SHA512

    afeeda4d83a38e0ef3307fac88a63ed197a305501c84622151e07be17bd38d8d07ff91c36c832f5574c86165573940258c0d18f681e8346bf869089891b1021a

  • SSDEEP

    6144:hRAvJmXbQwAPnZXJAc4V50DErB5xgTw7ozFz254W:hRAxebQwAPAkDWGcoxfW

Score
10/10
evasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype live:.cid.2eb1968719a82d39</strong><br><br>Ks3GLAz3SKAe8Fytw/JjbMHnpls2QthREJ6pnxcdqRFknFyRKfFvuVbzpcOOSSCG r2XrF3LKMHO917VZNTJ6qWVnypp3pPxa4FO+tTrJAEpwZL1X1Ecb72IPRCrhq7XM ZpdznYNCe0ywbZMdpssby6q25quQPoS+iZJ/PATRIPLAukoepwlU/u/xzQ6dWiDD IpKL5oQyPk91tRT3FWmbPBASQ3TF342r0fhk+kYRce1dvXxczUFINrS5ozm00wsq QoAz2qIN2i2Kh1l7Upglg5Ajts8jxh9iuj6IxTMvzYyU4RUJQyKsOvmnJlaEn0OG Je2FqiC3Btpn3Wqe/VNPJ/K5+SyzySjugfsKKE808pCayoSba6MYZbIjL4Dr1Zb7 8nRGxt8xSeEAjazfnTKKE7+HLSjBmhxM4UFJeRDg/5p4QaMc272m3RHd8y7slapp guQWapiH/8F8ObKJ+irE0hgi+yFz2bh0m37jQxsXctcxA9mOE9+7xSbodE8pkwi3 L9KrRj4uVipU17iIwwAbqQaVvPwXg2QBVAwPD9fEjWMO1jStSmsPQq9y52H4Fj8H ms+4cvK5I9wo0n9W2MuPB9g+gER0/s9PjkqBHtTQH9CMLOqXT9EOv/Gwwfm6SejK /qH5UufXnNQ= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\32955067241972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected] skype live:.cid.2eb1968719a82d39
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe

    • Size

      225KB

    • MD5

      0e8476b3c4099a42baca7f16ca8253e6

    • SHA1

      e044edce8646124ddc39906e6fb6f02eaff16161

    • SHA256

      ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b

    • SHA512

      afeeda4d83a38e0ef3307fac88a63ed197a305501c84622151e07be17bd38d8d07ff91c36c832f5574c86165573940258c0d18f681e8346bf869089891b1021a

    • SSDEEP

      6144:hRAvJmXbQwAPnZXJAc4V50DErB5xgTw7ozFz254W:hRAxebQwAPAkDWGcoxfW

    Score
    10/10
    persistenceevasionransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks