Overview

overview

10

Static

static

ee036f333a...6b.exe

windows7-x64

8

ee036f333a...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2022, 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe

  • Size

    225KB

  • MD5

    0e8476b3c4099a42baca7f16ca8253e6

  • SHA1

    e044edce8646124ddc39906e6fb6f02eaff16161

  • SHA256

    ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b

  • SHA512

    afeeda4d83a38e0ef3307fac88a63ed197a305501c84622151e07be17bd38d8d07ff91c36c832f5574c86165573940258c0d18f681e8346bf869089891b1021a

  • SSDEEP

    6144:hRAvJmXbQwAPnZXJAc4V50DErB5xgTw7ozFz254W:hRAxebQwAPAkDWGcoxfW

Score
10/10
evasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype live:.cid.2eb1968719a82d39</strong><br><br>N4d7ulDp4n9xmfT9tNMtZHwOgLjU9PJAYuJD7Y2ck3VS42QBpac9yxkDBeY4f5Up Bwre0xCL5kgwiR/L3PSKmPosmNedUbOpJX502IRBqGWpZUK0lK1yO6OwUEJnqLut PsZ9DUYbnDAKH69FT/dVKuKCOMuuHZgwB8n2MJQHw/UZHT68YNlErgYh4GGCPwSr PWqVvf91SwaUOloVXv58T/M3IJKEya53ugzJM4lC79wRhDG7RV5VKz7z+IetLykW EqmtvyDK89qAu4lnHIHkc1m4+FwWoSCIWaz31XfXtlXDSAusogtBw5yB3oZXPnUw faDDGOhrDZUmBQmPM8HEn32UiVBY6JleTX3pHBIOClae7bP7JZwFvFblDkavu6cE fKdtziOJDZicZhewtg9nIUYQl2UPAEwXLe4vIh+Wd3k/Y4Zs9vqrx8m/hHsvAB2g VUWaWRjfcGVGFp28fXP2SbRikvKK5rDsM2HGKrAPxucYJ/BgkxUde6xdRRtbNMtZ UWQpAPOxYKe5zVMWBda6N0iLx1yoUOunvWBSvd0kax2l9TVnxE0KmkaSD/gx1ey6 wjS3MRC5vD+fcUfLW4/FuVlOyOwqF0l5shG+zLlyXibWPZRrl4J1QP4yTmqjTymq AVmo5ZRhW7U= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\42807121641972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected] skype live:.cid.2eb1968719a82d39
Emails

email:[email protected]

email:[email protected]

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 18 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe
    "C:\Users\Admin\AppData\Local\Temp\ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe
      "C:\Windows\ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:976
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5984
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:6032
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2984
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:6068
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1448
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\42807121641972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:5892
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:3840
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:6072
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:6116
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:1472
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5868

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\42807121641972527219.hta
        Filesize

        1KB

        MD5

        8103aa0a52830e860d4e8457864e3b99

        SHA1

        9c0ed2ecd13d4fe060f76b9a3687cc113a0bedba

        SHA256

        1da12388514e57bf5e2c3345e7ca3e6b1eba62617a5c27a1db73280e3a1429dc

        SHA512

        69ad2a795c5ea0aa3b7e2d8584b1579c42f59f89bae4c3d608e5046a6ed7ab2d8903fcde3f57dea0845aa919f719b7253d9d8582a85787d0679ca1fa52af7416

        Download Submit

      • C:\Windows\ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe
        Filesize

        225KB

        MD5

        0e8476b3c4099a42baca7f16ca8253e6

        SHA1

        e044edce8646124ddc39906e6fb6f02eaff16161

        SHA256

        ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b

        SHA512

        afeeda4d83a38e0ef3307fac88a63ed197a305501c84622151e07be17bd38d8d07ff91c36c832f5574c86165573940258c0d18f681e8346bf869089891b1021a

        Download Submit

      • C:\Windows\ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.exe
        Filesize

        225KB

        MD5

        0e8476b3c4099a42baca7f16ca8253e6

        SHA1

        e044edce8646124ddc39906e6fb6f02eaff16161

        SHA256

        ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b

        SHA512

        afeeda4d83a38e0ef3307fac88a63ed197a305501c84622151e07be17bd38d8d07ff91c36c832f5574c86165573940258c0d18f681e8346bf869089891b1021a

        Download Submit

      • memory/760-132-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/760-139-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5052-142-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5052-137-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download