Overview

overview

10

Static

static

10

38d8f55b3a...d6.exe

windows7-x64

10

38d8f55b3a...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2022 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38d8f55b3a4b6871b5e62fdc73c504d6.exe

  • Size

    225KB

  • MD5

    38d8f55b3a4b6871b5e62fdc73c504d6

  • SHA1

    102b8625e5662c89efe4547dc2cb173be8b08851

  • SHA256

    8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb

  • SHA512

    97c8f11f1bd28ecacddf3606b507dbeb0ab85a56c788e99160ef77c9757f92fd1e4920b24ad077de8763939da77d2bd71089512787dda0fd0e804d47c0cbbecb

  • SSDEEP

    6144:gUhJmXLQwAhgEkJ8kdV50DErPMxgTw7ozFD254W:gUneLQwAE8VDtGcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>Wvh+yDoebpY05BPoOBvbShfiRQAf0J/bi0ptwbRJ+mmPeapDrb4uIAH8OfekpCH7 LAoequGw86V1Xa+zGqAGrLwR7YhpZ8XhFTp37P3fs0D0P4UgX2XjFP0gsHnYe//4 /K8Kq2TSQMtRT44dsVBj+xP+D1yo83pW6Fn8kmmxMZebSQNvXzsXtQOX7Cu7ja5w y8OH1zke4DZOZu5kpnAzlK/syrqv56PoLagfq9vta160ZTVvVXzOXXTvsle1Kgaw O2GbBjUq3RaXP6PT2L/bl98aydomjea2eNcJ9dMHenyN9V0+9s5ZxowG9Z8mdu5Y 8jDrVk58BT2BhOCwzLjg1l6/t4/blt3YjKLf+dd2hapVcM8fhVt/e1eSMUKfs5AK QDArYsKjosc6JQw1uLj33OQBVzioapCBSXSulP8Ivnq0tdK4zwlAzx+GjuHcXsMF APZ/BYsdVQFxUm4tIvP4a+jEy7jf1q41fqC0MDv45pPZRdqHD16NOHzy+aSClhok I9RQ+gJhQU5swvAQgZtk1+IydRViaDbbRlt387RL/8/uXi1y9Was5dk6SqZhn8F7 /HzXozC+17Zv7jxazvd2XtBAjll3mo1WM9RTSfqAuOVdbxchOmAanN5uRoyCN7eK 0NxxPVxsW/E= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>Wvh+yDoebpY05BPoOBvbShfiRQAf0J/bi0ptwbRJ+mmPeapDrb4uIAH8OfekpCH7

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\27405752111972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Signatures

  • Venus

    Venus is a ransomware first seen in 2022.

    ransomwarevenus
  • Venus Ransomware 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38d8f55b3a4b6871b5e62fdc73c504d6.exe
    "C:\Users\Admin\AppData\Local\Temp\38d8f55b3a4b6871b5e62fdc73c504d6.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\38d8f55b3a4b6871b5e62fdc73c504d6.exe
      "C:\Windows\38d8f55b3a4b6871b5e62fdc73c504d6.exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:676
      • C:\Windows\System32\cmd.exe
        /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
          4⤵
          • Modifies Windows Firewall
          PID:4556
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1316
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6128
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4336
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1148
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:6152
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:6176
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\27405752111972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:5236
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\38d8f55b3a4b6871b5e62fdc73c504d6.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:592
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4396
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:5976
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:6076
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1132

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\27405752111972527219.hta
        Filesize

        1KB

        MD5

        e9deea88997db0f742c9c7685eb7d65b

        SHA1

        a77d8367d9f3270c68932a091b1a61734dd81327

        SHA256

        388cb2209ca8a7055165f75173fbd903f1273c470e2e6c3b68a4181eb0e87dfb

        SHA512

        313b3caed84f8ad019726e73bc6d4ebd2810c7ea0f9ea66f53ffbdfb6620a4f0a4c696b66c29a34a6fa6cb92bd322d01984a4e18df790675b2425ad3759a565c

        Download Submit

      • C:\Windows\38d8f55b3a4b6871b5e62fdc73c504d6.exe
        Filesize

        225KB

        MD5

        38d8f55b3a4b6871b5e62fdc73c504d6

        SHA1

        102b8625e5662c89efe4547dc2cb173be8b08851

        SHA256

        8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb

        SHA512

        97c8f11f1bd28ecacddf3606b507dbeb0ab85a56c788e99160ef77c9757f92fd1e4920b24ad077de8763939da77d2bd71089512787dda0fd0e804d47c0cbbecb

        Download Submit

      • C:\Windows\38d8f55b3a4b6871b5e62fdc73c504d6.exe
        Filesize

        225KB

        MD5

        38d8f55b3a4b6871b5e62fdc73c504d6

        SHA1

        102b8625e5662c89efe4547dc2cb173be8b08851

        SHA256

        8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb

        SHA512

        97c8f11f1bd28ecacddf3606b507dbeb0ab85a56c788e99160ef77c9757f92fd1e4920b24ad077de8763939da77d2bd71089512787dda0fd0e804d47c0cbbecb

        Download Submit

      • memory/676-142-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/676-143-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4716-132-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download