Overview

overview

10

Static

static

10

vss.exe

windows7-x64

10

vss.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vss.exe

  • Size

    225KB

  • Sample

    221204-tdgcjsgh6y

  • MD5

    07f5fbcb96179acffab2638392d08fb8

  • SHA1

    22d84ca8e620ef5fc0027b3e06876d1a04d10406

  • SHA256

    4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

  • SHA512

    0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4

  • SSDEEP

    6144:FQJmXLQwAhWUkJ0kfV50DEr2MxgTw7ozFD254W:FeeLQwAi07DWGcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>0KMJAig7xv8l6k+Y8szwZzvA5ecU9ObeLEkRQtp1gig6H1tIQzWu4dvQEGeagNn7 Wm1CFdh2RI0do/6mvY9pvRFdkkjNRd6oVMJGRl6RxRB4DzETM5ZFj9m4i1oOWMRA 7CF98q+3YKwTJTW4xsa6ROGfbEjvLC7cD7EIeOPRbckUjfxXEridh+CXac6ISmV6 0jdVW1r/b43Kq2rlBCFsiWz7CLFzSuvaaTdXj7HHpQpohaFPIyR9AhKqVrjQ8TAr ovfs88e1S+cYJC+DnVaB0q1J7PR94tmOqatF8EdTdsOO1eY4lCqkWsIYMP8HXCmZ 4EffngTKUios3bEr8MUlbi1PWgDnDMCw5rhvH7Xwr5DpmjWg2WTL5JN9OdYt9pcC QpB8W0q3Ej7yI9+fREEIoHY+6VMPr05sQY+hFtpBaOIZuw5ROhlaYRl5d8VItoqz QiG5UIl31NmX8MRYIsUEyLTuqYAdxVSEjk00KRdMiXviqPSnw89bZQw0eVwTfU1r H2FYmv63bh/SI/9HoqTtAV+2gShNJy8UFoxojfDJVPHWbaCClQExIQI1/bT3Hc9k EGEOCIi6CqpSGU/6W64Nqnwej2SFct24ijhR//gR/t6TgJrAWw2Ue9nSjMF+Bjwo s35L/GwIvQ== </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>0KMJAig7xv8l6k+Y8szwZzvA5ecU9ObeLEkRQtp1gig6H1tIQzWu4dvQEGeagNn7

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\9986146891972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      vss.exe

    • Size

      225KB

    • MD5

      07f5fbcb96179acffab2638392d08fb8

    • SHA1

      22d84ca8e620ef5fc0027b3e06876d1a04d10406

    • SHA256

      4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

    • SHA512

      0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4

    • SSDEEP

      6144:FQJmXLQwAhWUkJ0kfV50DEr2MxgTw7ozFD254W:FeeLQwAi07DWGcopfW

    Score
    10/10
    venusevasionpersistenceransomwarespywarestealer

    • Venus

      Venus is a ransomware first seen in 2022.

      ransomwarevenus

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks