venus | 04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e

General

Target

99bc5e82135557b8e571b2deab9f297f.exe
Size

136KB
MD5

99bc5e82135557b8e571b2deab9f297f
SHA1

ec11f6abf13044a438a7f363bda2c9d5709d2475
SHA256

04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e
SHA512

cffb151124a92bd9a1dca3e12ad4482e1dbdb4ff93099785e02b897c688d0a741a6d28b9ab40bc757e24caee1890ec207287058176547ff2bc48803c8aea7a5c
SSDEEP

3072:d4YLjaoAN6vHt5pmX8Q8QAjD44vcTlYewhp8J1HGjqZfTd3zHZ0DELbT4n:tlmX8QHA0B9Sp+1cmV50DEr4n

Score

10^/10

venus persistence ransomware spyware stealer

Malware Config

Signatures

Venus
Venus is a ransomware first seen in 2022.
ransomware venus

Venus Ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/560-132-0x0000000000400000-0x0000000000428000-memory.dmp	family_venus
C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe	family_venus
C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe	family_venus
behavioral2/memory/1000-138-0x0000000000400000-0x0000000000428000-memory.dmp	family_venus
behavioral2/memory/1000-141-0x0000000000400000-0x0000000000428000-memory.dmp	family_venus

Executes dropped EXE 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

pid process

1000 99bc5e82135557b8e571b2deab9f297f.exe

pid	process
1000	99bc5e82135557b8e571b2deab9f297f.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RedoSwitch.tiff	99bc5e82135557b8e571b2deab9f297f.exe
File renamed	C:\Users\Admin\Pictures\RedoSwitch.tiff => C:\Users\Admin\Pictures\RedoSwitch.tiff.venus	99bc5e82135557b8e571b2deab9f297f.exe
File renamed	C:\Users\Admin\Pictures\ResetGet.png => C:\Users\Admin\Pictures\ResetGet.png.venus	99bc5e82135557b8e571b2deab9f297f.exe
File renamed	C:\Users\Admin\Pictures\StopCompare.png => C:\Users\Admin\Pictures\StopCompare.png.venus	99bc5e82135557b8e571b2deab9f297f.exe
File renamed	C:\Users\Admin\Pictures\ImportPop.crw => C:\Users\Admin\Pictures\ImportPop.crw.venus	99bc5e82135557b8e571b2deab9f297f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	99bc5e82135557b8e571b2deab9f297f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\99bc5e82135557b8e571b2deab9f297f.exe = "C:\\Windows\\99bc5e82135557b8e571b2deab9f297f.exe䔀"	99bc5e82135557b8e571b2deab9f297f.exe

Drops desktop.ini file(s) 34 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	\Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	99bc5e82135557b8e571b2deab9f297f.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	process
File opened (read-only)	\??\E:	99bc5e82135557b8e571b2deab9f297f.exe
File opened (read-only)	\??\F:	99bc5e82135557b8e571b2deab9f297f.exe

Drops file in Program Files directory 64 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache.scale-200.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-200.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Folder.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72_altform-lightunplated.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\SmallTile.scale-200.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-125.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-140.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-lightunplated.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-40.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-60_altform-lightunplated.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-400_contrast-white.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-4246620582-653642754-1174164128-1000-MergedResources-0.pri	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Advertising	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-64.png	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\webviewCore.min.js	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\Example3A.Diagnostics.Tests.ps1	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\3DViewerProductDescription-universal.xml	99bc5e82135557b8e571b2deab9f297f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms	99bc5e82135557b8e571b2deab9f297f.exe

Drops file in Windows directory 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description ioc process

File created C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe 99bc5e82135557b8e571b2deab9f297f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2076 taskkill.exe

description	ioc	process
File created	C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe	99bc5e82135557b8e571b2deab9f297f.exe

pid	process
2076	taskkill.exe

Modifies registry class 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	99bc5e82135557b8e571b2deab9f297f.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

408 PING.EXE

pid	process
408	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1000	99bc5e82135557b8e571b2deab9f297f.exe
Token: SeTcbPrivilege	1000	99bc5e82135557b8e571b2deab9f297f.exe
Token: SeDebugPrivilege	2076	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

pid process

1000 99bc5e82135557b8e571b2deab9f297f.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.exe

pid process

1000 99bc5e82135557b8e571b2deab9f297f.exe

pid	process
1000	99bc5e82135557b8e571b2deab9f297f.exe

pid	process
1000	99bc5e82135557b8e571b2deab9f297f.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

99bc5e82135557b8e571b2deab9f297f.execmd.exe99bc5e82135557b8e571b2deab9f297f.execmd.exe

description	pid	process	target process
PID 560 wrote to memory of 1000	560	99bc5e82135557b8e571b2deab9f297f.exe	99bc5e82135557b8e571b2deab9f297f.exe
PID 560 wrote to memory of 1000	560	99bc5e82135557b8e571b2deab9f297f.exe	99bc5e82135557b8e571b2deab9f297f.exe
PID 560 wrote to memory of 1000	560	99bc5e82135557b8e571b2deab9f297f.exe	99bc5e82135557b8e571b2deab9f297f.exe
PID 560 wrote to memory of 2944	560	99bc5e82135557b8e571b2deab9f297f.exe	cmd.exe
PID 560 wrote to memory of 2944	560	99bc5e82135557b8e571b2deab9f297f.exe	cmd.exe
PID 2944 wrote to memory of 408	2944	cmd.exe	PING.EXE
PID 2944 wrote to memory of 408	2944	cmd.exe	PING.EXE
PID 1000 wrote to memory of 4032	1000	99bc5e82135557b8e571b2deab9f297f.exe	cmd.exe
PID 1000 wrote to memory of 4032	1000	99bc5e82135557b8e571b2deab9f297f.exe	cmd.exe
PID 4032 wrote to memory of 2076	4032	cmd.exe	taskkill.exe
PID 4032 wrote to memory of 2076	4032	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\99bc5e82135557b8e571b2deab9f297f.exe
"C:\Users\Admin\AppData\Local\Temp\99bc5e82135557b8e571b2deab9f297f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe
  "C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe" g g g o n e123
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\System32\cmd.exe
    /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2076
- C:\Windows\System32\cmd.exe
  /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\99bc5e82135557b8e571b2deab9f297f.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe

Filesize
136KB

MD5
99bc5e82135557b8e571b2deab9f297f

SHA1
ec11f6abf13044a438a7f363bda2c9d5709d2475

SHA256
04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e

SHA512
cffb151124a92bd9a1dca3e12ad4482e1dbdb4ff93099785e02b897c688d0a741a6d28b9ab40bc757e24caee1890ec207287058176547ff2bc48803c8aea7a5c

Download Submit
C:\Windows\99bc5e82135557b8e571b2deab9f297f.exe

Filesize
136KB

MD5
99bc5e82135557b8e571b2deab9f297f

SHA1
ec11f6abf13044a438a7f363bda2c9d5709d2475

SHA256
04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e

SHA512
cffb151124a92bd9a1dca3e12ad4482e1dbdb4ff93099785e02b897c688d0a741a6d28b9ab40bc757e24caee1890ec207287058176547ff2bc48803c8aea7a5c

Download Submit
memory/408-137-0x0000000000000000-mapping.dmp

Download
memory/560-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1000-133-0x0000000000000000-mapping.dmp

Download
memory/1000-138-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1000-141-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2076-140-0x0000000000000000-mapping.dmp

Download
memory/2944-135-0x0000000000000000-mapping.dmp

Download
memory/4032-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads