venus | 8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb

General

Target

38d8f55b3a4b6871b5e62fdc73c504d6.exe
Size

225KB
MD5

38d8f55b3a4b6871b5e62fdc73c504d6
SHA1

102b8625e5662c89efe4547dc2cb173be8b08851
SHA256

8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb
SHA512

97c8f11f1bd28ecacddf3606b507dbeb0ab85a56c788e99160ef77c9757f92fd1e4920b24ad077de8763939da77d2bd71089512787dda0fd0e804d47c0cbbecb
SSDEEP

6144:gUhJmXLQwAhgEkJ8kdV50DErPMxgTw7ozFD254W:gUneLQwAE8VDtGcopfW

Score

10^/10

venus evasion persistence ransomware

Malware Config

Signatures

Venus
Venus is a ransomware first seen in 2022.
ransomware venus

Venus Ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1376-55-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/files/0x0007000000005c50-57.dat	family_venus
behavioral1/memory/1868-66-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/memory/1868-67-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus

Executes dropped EXE 1 IoCs

Processes:

38d8f55b3a4b6871b5e62fdc73c504d6.exe

pid	Process
1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exe

pid	Process
1184	netsh.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1632	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

38d8f55b3a4b6871b5e62fdc73c504d6.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\38d8f55b3a4b6871b5e62fdc73c504d6.exe = "C:\\Windows\\38d8f55b3a4b6871b5e62fdc73c504d6.exe"	38d8f55b3a4b6871b5e62fdc73c504d6.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

38d8f55b3a4b6871b5e62fdc73c504d6.exe

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini	38d8f55b3a4b6871b5e62fdc73c504d6.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

38d8f55b3a4b6871b5e62fdc73c504d6.exe

description	ioc	Process
File opened (read-only)	\??\E:	38d8f55b3a4b6871b5e62fdc73c504d6.exe
File opened (read-only)	\??\F:	38d8f55b3a4b6871b5e62fdc73c504d6.exe

Drops file in Windows directory 2 IoCs

Processes:

38d8f55b3a4b6871b5e62fdc73c504d6.exe38d8f55b3a4b6871b5e62fdc73c504d6.exe

description	ioc	Process
File created	C:\Windows\38d8f55b3a4b6871b5e62fdc73c504d6.exe	38d8f55b3a4b6871b5e62fdc73c504d6.exe
File created	C:\Windows\12336500171972527219.png	38d8f55b3a4b6871b5e62fdc73c504d6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1792	taskkill.exe

Modifies registry class 3 IoCs

Processes:

38d8f55b3a4b6871b5e62fdc73c504d6.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus	38d8f55b3a4b6871b5e62fdc73c504d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon	38d8f55b3a4b6871b5e62fdc73c504d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\12336500171972527219.png"	38d8f55b3a4b6871b5e62fdc73c504d6.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1828	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

38d8f55b3a4b6871b5e62fdc73c504d6.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe
Token: SeTcbPrivilege	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe
Token: SeTakeOwnershipPrivilege	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe
Token: SeSecurityPrivilege	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe
Token: SeDebugPrivilege	1792	taskkill.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

38d8f55b3a4b6871b5e62fdc73c504d6.execmd.exe38d8f55b3a4b6871b5e62fdc73c504d6.execmd.execmd.exe

description	pid	Process	procid_target
PID 1376 wrote to memory of 1868	1376	38d8f55b3a4b6871b5e62fdc73c504d6.exe	27
PID 1376 wrote to memory of 1868	1376	38d8f55b3a4b6871b5e62fdc73c504d6.exe	27
PID 1376 wrote to memory of 1868	1376	38d8f55b3a4b6871b5e62fdc73c504d6.exe	27
PID 1376 wrote to memory of 1868	1376	38d8f55b3a4b6871b5e62fdc73c504d6.exe	27
PID 1376 wrote to memory of 1632	1376	38d8f55b3a4b6871b5e62fdc73c504d6.exe	28
PID 1376 wrote to memory of 1632	1376	38d8f55b3a4b6871b5e62fdc73c504d6.exe	28
PID 1376 wrote to memory of 1632	1376	38d8f55b3a4b6871b5e62fdc73c504d6.exe	28
PID 1376 wrote to memory of 1632	1376	38d8f55b3a4b6871b5e62fdc73c504d6.exe	28
PID 1632 wrote to memory of 1828	1632	cmd.exe	30
PID 1632 wrote to memory of 1828	1632	cmd.exe	30
PID 1632 wrote to memory of 1828	1632	cmd.exe	30
PID 1868 wrote to memory of 1640	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe	31
PID 1868 wrote to memory of 1640	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe	31
PID 1868 wrote to memory of 1640	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe	31
PID 1868 wrote to memory of 1640	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe	31
PID 1868 wrote to memory of 560	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe	33
PID 1868 wrote to memory of 560	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe	33
PID 1868 wrote to memory of 560	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe	33
PID 1868 wrote to memory of 560	1868	38d8f55b3a4b6871b5e62fdc73c504d6.exe	33
PID 1640 wrote to memory of 1184	1640	cmd.exe	34
PID 1640 wrote to memory of 1184	1640	cmd.exe	34
PID 1640 wrote to memory of 1184	1640	cmd.exe	34
PID 560 wrote to memory of 1792	560	cmd.exe	36
PID 560 wrote to memory of 1792	560	cmd.exe	36
PID 560 wrote to memory of 1792	560	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\38d8f55b3a4b6871b5e62fdc73c504d6.exe
"C:\Users\Admin\AppData\Local\Temp\38d8f55b3a4b6871b5e62fdc73c504d6.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\38d8f55b3a4b6871b5e62fdc73c504d6.exe
  "C:\Windows\38d8f55b3a4b6871b5e62fdc73c504d6.exe" g g g o n e123
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\System32\cmd.exe
    /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
      4⤵
      Modifies Windows Firewall
      PID:1184
- - C:\Windows\System32\cmd.exe
    /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1792
- C:\Windows\System32\cmd.exe
  /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\38d8f55b3a4b6871b5e62fdc73c504d6.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\38d8f55b3a4b6871b5e62fdc73c504d6.exe

Filesize
225KB

MD5
38d8f55b3a4b6871b5e62fdc73c504d6

SHA1
102b8625e5662c89efe4547dc2cb173be8b08851

SHA256
8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb

SHA512
97c8f11f1bd28ecacddf3606b507dbeb0ab85a56c788e99160ef77c9757f92fd1e4920b24ad077de8763939da77d2bd71089512787dda0fd0e804d47c0cbbecb

Download Submit
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/1184-63-0x0000000000000000-mapping.dmp

Download
memory/1184-65-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1632-58-0x0000000000000000-mapping.dmp

Download
memory/1640-61-0x0000000000000000-mapping.dmp

Download
memory/1792-64-0x0000000000000000-mapping.dmp

Download
memory/1828-60-0x0000000000000000-mapping.dmp

Download
memory/1868-56-0x0000000000000000-mapping.dmp

Download
memory/1868-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads