venus | 4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

General

Target

vss.exe
Size

225KB
MD5

07f5fbcb96179acffab2638392d08fb8
SHA1

22d84ca8e620ef5fc0027b3e06876d1a04d10406
SHA256

4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498
SHA512

0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4
SSDEEP

6144:FQJmXLQwAhWUkJ0kfV50DEr2MxgTw7ozFD254W:FeeLQwAi07DWGcopfW

Score

10^/10

venus evasion persistence ransomware

Malware Config

Signatures

Venus
Venus is a ransomware first seen in 2022.
ransomware venus

Venus Ransomware 4 IoCs

Processes:

resource	yara_rule
C:\Windows\vss.exe	family_venus
behavioral1/memory/1340-59-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/memory/1464-65-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/memory/1464-67-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus

Executes dropped EXE 1 IoCs

Processes:

vss.exe

pid process

1464 vss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1300 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe

pid	process
1464	vss.exe

pid	process
1300	netsh.exe

pid	process
1988	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vss.exe = "C:\\Windows\\vss.exe"	vss.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

vss.exe

description ioc process

File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini vss.exe
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

vss.exe

description ioc process

File opened (read-only) \??\E: vss.exe
File opened (read-only) \??\F: vss.exe
Drops file in Windows directory 2 IoCs

Processes:

vss.exevss.exe

description ioc process

File created C:\Windows\vss.exe vss.exe
File created C:\Windows\28793772521972527219.png vss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1408 taskkill.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini	vss.exe

description	ioc	process
File opened (read-only)	\??\E:	vss.exe
File opened (read-only)	\??\F:	vss.exe

description	ioc	process
File created	C:\Windows\vss.exe	vss.exe
File created	C:\Windows\28793772521972527219.png	vss.exe

pid	process
1408	taskkill.exe

Modifies registry class 3 IoCs

Processes:

vss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus	vss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon	vss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\28793772521972527219.png"	vss.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

620 PING.EXE

pid	process
620	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

vss.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1464	vss.exe
Token: SeTcbPrivilege	1464	vss.exe
Token: SeTakeOwnershipPrivilege	1464	vss.exe
Token: SeSecurityPrivilege	1464	vss.exe
Token: SeDebugPrivilege	1408	taskkill.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

vss.exevss.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 1464	1340	vss.exe	vss.exe
PID 1340 wrote to memory of 1464	1340	vss.exe	vss.exe
PID 1340 wrote to memory of 1464	1340	vss.exe	vss.exe
PID 1340 wrote to memory of 1464	1340	vss.exe	vss.exe
PID 1340 wrote to memory of 1988	1340	vss.exe	cmd.exe
PID 1340 wrote to memory of 1988	1340	vss.exe	cmd.exe
PID 1340 wrote to memory of 1988	1340	vss.exe	cmd.exe
PID 1340 wrote to memory of 1988	1340	vss.exe	cmd.exe
PID 1464 wrote to memory of 332	1464	vss.exe	cmd.exe
PID 1464 wrote to memory of 332	1464	vss.exe	cmd.exe
PID 1464 wrote to memory of 332	1464	vss.exe	cmd.exe
PID 1464 wrote to memory of 332	1464	vss.exe	cmd.exe
PID 1464 wrote to memory of 596	1464	vss.exe	cmd.exe
PID 1464 wrote to memory of 596	1464	vss.exe	cmd.exe
PID 1464 wrote to memory of 596	1464	vss.exe	cmd.exe
PID 1464 wrote to memory of 596	1464	vss.exe	cmd.exe
PID 1988 wrote to memory of 620	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 620	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 620	1988	cmd.exe	PING.EXE
PID 596 wrote to memory of 1408	596	cmd.exe	taskkill.exe
PID 596 wrote to memory of 1408	596	cmd.exe	taskkill.exe
PID 596 wrote to memory of 1408	596	cmd.exe	taskkill.exe
PID 332 wrote to memory of 1300	332	cmd.exe	netsh.exe
PID 332 wrote to memory of 1300	332	cmd.exe	netsh.exe
PID 332 wrote to memory of 1300	332	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\vss.exe
"C:\Users\Admin\AppData\Local\Temp\vss.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\vss.exe
  "C:\Windows\vss.exe" g g g o n e123
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\System32\cmd.exe
    /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
      4⤵
      Modifies Windows Firewall
      PID:1300
- - C:\Windows\System32\cmd.exe
    /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1408
- C:\Windows\System32\cmd.exe
  /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\vss.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\vss.exe

Filesize
225KB

MD5
07f5fbcb96179acffab2638392d08fb8

SHA1
22d84ca8e620ef5fc0027b3e06876d1a04d10406

SHA256
4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

SHA512
0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4

Download Submit
memory/332-60-0x0000000000000000-mapping.dmp

Download
memory/596-61-0x0000000000000000-mapping.dmp

Download
memory/620-62-0x0000000000000000-mapping.dmp

Download
memory/1300-64-0x0000000000000000-mapping.dmp

Download
memory/1300-66-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1340-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1340-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1408-63-0x0000000000000000-mapping.dmp

Download
memory/1464-55-0x0000000000000000-mapping.dmp

Download
memory/1464-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads