venus | 04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99bc5e82135557b8e571b2deab9f297f.exe
Size

136KB
MD5

99bc5e82135557b8e571b2deab9f297f
SHA1

ec11f6abf13044a438a7f363bda2c9d5709d2475
SHA256

04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e
SHA512

cffb151124a92bd9a1dca3e12ad4482e1dbdb4ff93099785e02b897c688d0a741a6d28b9ab40bc757e24caee1890ec207287058176547ff2bc48803c8aea7a5c
SSDEEP

3072:d4YLjaoAN6vHt5pmX8Q8QAjD44vcTlYewhp8J1HGjqZfTd3zHZ0DELbT4n:tlmX8QHA0B9Sp+1cmV50DEr4n

Score

10^/10

venus persistence ransomware spyware stealer

Malware Config

Signatures

Venus
Venus is a ransomware first seen in 2022.
ransomware venus

Venus Ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2000-55-0x0000000000400000-0x0000000000428000-memory.dmp	family_venus
behavioral1/files/0x0007000000005c50-57.dat	family_venus
behavioral1/memory/824-61-0x0000000000400000-0x0000000000428000-memory.dmp	family_venus
behavioral1/memory/824-64-0x0000000000400000-0x0000000000428000-memory.dmp	family_venus

Executes dropped EXE 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

pid	Process
824	99bc5e82135557b8e571b2deab9f297f.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\HideInitialize.tiff	99bc5e82135557b8e571b2deab9f297f.exe
File renamed	C:\Users\Admin\Pictures\HideInitialize.tiff => C:\Users\Admin\Pictures\HideInitialize.tiff.venus	99bc5e82135557b8e571b2deab9f297f.exe
File renamed	C:\Users\Admin\Pictures\SaveSync.png => C:\Users\Admin\Pictures\SaveSync.png.venus	99bc5e82135557b8e571b2deab9f297f.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2028	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\99bc5e82135557b8e571b2deab9f297f.exe = "C:\\Windows\\99bc5e82135557b8e571b2deab9f297f.exe"	99bc5e82135557b8e571b2deab9f297f.exe

Drops desktop.ini file(s) 50 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\31F8NSAV\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P35Q2WMD\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	\Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\9W0XRO68\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UIFY0MN9\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	Process
File opened (read-only)	\??\E:	99bc5e82135557b8e571b2deab9f297f.exe
File opened (read-only)	\??\F:	99bc5e82135557b8e571b2deab9f297f.exe

Drops file in Program Files directory 64 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00234_.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02293_.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAProject.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\Sidebar.exe.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Concourse.eftx	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.DAT	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD11.POC	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2ssv.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY1.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mip.exe.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105412.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152414.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0221903.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00178_.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285808.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143758.GIF	99bc5e82135557b8e571b2deab9f297f.exe

Drops file in Windows directory 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	Process
File created	C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe	99bc5e82135557b8e571b2deab9f297f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1740	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1344	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	824	99bc5e82135557b8e571b2deab9f297f.exe
Token: SeTcbPrivilege	824	99bc5e82135557b8e571b2deab9f297f.exe
Token: SeDebugPrivilege	1740	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

pid	Process
824	99bc5e82135557b8e571b2deab9f297f.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

pid	Process
824	99bc5e82135557b8e571b2deab9f297f.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.execmd.exe99bc5e82135557b8e571b2deab9f297f.execmd.exe

description	pid	Process	procid_target
PID 2000 wrote to memory of 824	2000	99bc5e82135557b8e571b2deab9f297f.exe	26
PID 2000 wrote to memory of 824	2000	99bc5e82135557b8e571b2deab9f297f.exe	26
PID 2000 wrote to memory of 824	2000	99bc5e82135557b8e571b2deab9f297f.exe	26
PID 2000 wrote to memory of 824	2000	99bc5e82135557b8e571b2deab9f297f.exe	26
PID 2000 wrote to memory of 2028	2000	99bc5e82135557b8e571b2deab9f297f.exe	27
PID 2000 wrote to memory of 2028	2000	99bc5e82135557b8e571b2deab9f297f.exe	27
PID 2000 wrote to memory of 2028	2000	99bc5e82135557b8e571b2deab9f297f.exe	27
PID 2000 wrote to memory of 2028	2000	99bc5e82135557b8e571b2deab9f297f.exe	27
PID 2028 wrote to memory of 1344	2028	cmd.exe	29
PID 2028 wrote to memory of 1344	2028	cmd.exe	29
PID 2028 wrote to memory of 1344	2028	cmd.exe	29
PID 824 wrote to memory of 1456	824	99bc5e82135557b8e571b2deab9f297f.exe	32
PID 824 wrote to memory of 1456	824	99bc5e82135557b8e571b2deab9f297f.exe	32
PID 824 wrote to memory of 1456	824	99bc5e82135557b8e571b2deab9f297f.exe	32
PID 824 wrote to memory of 1456	824	99bc5e82135557b8e571b2deab9f297f.exe	32
PID 1456 wrote to memory of 1740	1456	cmd.exe	34
PID 1456 wrote to memory of 1740	1456	cmd.exe	34
PID 1456 wrote to memory of 1740	1456	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\99bc5e82135557b8e571b2deab9f297f.exe
"C:\Users\Admin\AppData\Local\Temp\99bc5e82135557b8e571b2deab9f297f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe
  "C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe" g g g o n e123
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\System32\cmd.exe
    /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1740
- C:\Windows\System32\cmd.exe
  /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\99bc5e82135557b8e571b2deab9f297f.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe

Filesize
136KB

MD5
99bc5e82135557b8e571b2deab9f297f

SHA1
ec11f6abf13044a438a7f363bda2c9d5709d2475

SHA256
04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e

SHA512
cffb151124a92bd9a1dca3e12ad4482e1dbdb4ff93099785e02b897c688d0a741a6d28b9ab40bc757e24caee1890ec207287058176547ff2bc48803c8aea7a5c

Download Submit
memory/824-56-0x0000000000000000-mapping.dmp

Download
memory/824-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/824-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1344-60-0x0000000000000000-mapping.dmp

Download
memory/1456-62-0x0000000000000000-mapping.dmp

Download
memory/1740-63-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/2000-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2028-58-0x0000000000000000-mapping.dmp

Download