Overview

overview

10

Static

static

10

78272eae26...61.exe

windows10-1703-x64

10

78272eae26...61.exe

windows10-2004-x64

10

Resubmissions

09-12-2022 06:35

221209-hcjkqsce85 10

09-12-2022 05:38

221209-gbsatacd98 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

  • Size

    265KB

  • Sample

    221209-hcjkqsce85

  • MD5

    3ac0d935228460fdc38bdab692d71b0c

  • SHA1

    d08f753af5b5d9be3352495189be6fd4914ad8e1

  • SHA256

    78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361

  • SHA512

    04376fc469808504a8071f0b9baa35c4f922d7b69c4d4c6e77309022f95cf916a80b758a6733154f36e8be59d928b93903eec47a6df32e96b2ef3b4b6f0fde54

  • SSDEEP

    6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN

Score
10/10
neshtavenusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>ODJ/1FJBPtEx5nroTfbWRxcSyfmCla4LntdbOdvL5Ft9JeYfNqrRcJ0/mfM6rFxB H2Wwwc2ET5AlTbHYyKiveIghEOTRagNqRo+F9MEhncC5KQPIl7RJNPILnaR11saM GbZjO/DfqK7fvuNC489G+eGC5zjjeu5Sezj+pPgkxdPsSaY7XqsbgayCikkGaJ41 Q6a9bPq8QwJzGyOs9y8W+4i7vvFXeco3vFqHyGw//LaruF/RdE1yWBDbQ5LYjzon MCYwMKU0Ef1jeIyPAbePxnmiT6P2xXeJP14Ie44DSNeKp1emypLhePRzmK2dI/hI BLwSFOAIoSQA+3XTY7GddAt203adsuE0DE+2MnZyzZYd0iS9Qr0aK9EukZnFnE+a 4iVI6saHkLru2NsRgsxhUwi7zQK6CrSzJv5IZ7xFB0qXwlDSDXrB92LrujmNZHBn xYvtTflEh73HEyTFpjhmABfkzdGXTvKxUVDTjL+EvKmnVrHgZPtYu8+Kpvnh/7pZ 0KFTYSz5Lb1KshTGVOEc4CT+eHZxWQBFshVkbrkSFW0eJ598MMvj18fOi5WVqjnD uiCvFF6fa2kmrQL8OfKtEGqVpwl2gHpo7tkD2QvFFBE+1ugLIEtkadBCPJ5TG+1T TMk= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>ODJ/1FJBPtEx5nroTfbWRxcSyfmCla4LntdbOdvL5Ft9JeYfNqrRcJ0/mfM6rFxB

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\12191226801972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Extracted

Path

\??\E:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>LGtinQ1IPTYIn1/f+56IfGcqki2RSFKLanNHUQE6G3QE1Bie9nNQSpsxCy2V5S5y nslBYmBYaXiW1Qc/EA+Pwf1E9mUpeaGfKdySmJMmWUCfpCkjgnkYO85WTYQXlkec GJAx9KKqHQPU2ZvrCqqKndDg9bXahZutq0BejTx71Wdl7ZVSuWsAFavbLTAhtIZM yvAZ9w+39WEF53TS5I+/sPATc1DEhg4A0a7nT6/8tLVDTv260fp90/XHsNTIMja6 4ji5A0uS9CXhJep5150X0kx1GVPkB5QOrn3olxRm5o1odCwLm5YGC5IwYjXgERN0 A2u1P3C3asCX2cRkYcG06SYbp4dm5s3Jxgm/NjESDgK6zcH2AqfcT5znGjS3Zorp Z/2jIvWnGDrnaibT35Rh68Xuuz+1zXKWsKQbmZTLQfmii2hWjf7amOIuC6AhLQxs KjOTCyqCDrsOWKGMs0HclEVjPM6BTYVjoAvMeGOjkxbofMVZx9GwyPFmQ/hFCBcw UFmaQUMGTH/m4jFxM/6MaYz2kkWYhL+pBNMM0ioxLrHFrjFU5QLLw75AG7xzAlvt 5yDTeLswZzttpmYV4+ad0qQjxwl5QLz6Po7rkMwyFh7v+bjbMowjWdpc7mnotBqx eK2HVAZqjjTF </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>LGtinQ1IPTYIn1/f+56IfGcqki2RSFKLanNHUQE6G3QE1Bie9nNQSpsxCy2V5S5y

Targets

    • Target

      78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

    • Size

      265KB

    • MD5

      3ac0d935228460fdc38bdab692d71b0c

    • SHA1

      d08f753af5b5d9be3352495189be6fd4914ad8e1

    • SHA256

      78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361

    • SHA512

      04376fc469808504a8071f0b9baa35c4f922d7b69c4d4c6e77309022f95cf916a80b758a6733154f36e8be59d928b93903eec47a6df32e96b2ef3b4b6f0fde54

    • SSDEEP

      6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN

    Score
    10/10
    neshtavenusevasionpersistenceransomwarespywarestealer

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Venus

      Venus is a ransomware first seen in 2022.

      ransomwarevenus

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks