venus | fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

General

Target

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Size

225KB
MD5

f62590e838b1d13960abb6b363e03ed9
SHA1

66f706a7d39038964471e0a009a76e0f978fb075
SHA256

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3
SHA512

7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556
SSDEEP

6144:IuC7JmXiQwAh6jkJwkNV50DEr9MxgTw7ozFD254W:IuCteiQwAjw1DDGcopfW

Score

10^/10

venus evasion persistence ransomware

Malware Config

Signatures

Venus
Venus is a ransomware first seen in 2022.
ransomware venus

Venus Ransomware 4 IoCs

Processes:

resource	yara_rule
C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	family_venus
behavioral1/memory/1784-59-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/memory/1764-66-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/memory/1764-67-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus

Executes dropped EXE 1 IoCs

Processes:

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

pid process

1764 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1400 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

960 cmd.exe

pid	process
1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

pid	process
1400	netsh.exe

pid	process
960	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe = "C:\\Windows\\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe"	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-3385717845-2518323428-350143044-1000\desktop.ini	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

description	ioc	process
File opened (read-only)	\??\F:	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
File opened (read-only)	\??\E:	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

Drops file in Windows directory 2 IoCs

Processes:

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exefa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

description	ioc	process
File created	C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
File created	C:\Windows\26866061551972527219.png	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

856 taskkill.exe

pid	process
856	taskkill.exe

Modifies registry class 3 IoCs

Processes:

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\26866061551972527219.png"	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1124 PING.EXE

pid	process
1124	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Token: SeTcbPrivilege	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Token: SeTakeOwnershipPrivilege	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Token: SeSecurityPrivilege	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Token: SeDebugPrivilege	856	taskkill.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.execmd.exefa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.execmd.execmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 1764	1784	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
PID 1784 wrote to memory of 1764	1784	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
PID 1784 wrote to memory of 1764	1784	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
PID 1784 wrote to memory of 1764	1784	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
PID 1784 wrote to memory of 960	1784	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1784 wrote to memory of 960	1784	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1784 wrote to memory of 960	1784	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1784 wrote to memory of 960	1784	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 960 wrote to memory of 1124	960	cmd.exe	PING.EXE
PID 960 wrote to memory of 1124	960	cmd.exe	PING.EXE
PID 960 wrote to memory of 1124	960	cmd.exe	PING.EXE
PID 1764 wrote to memory of 472	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1764 wrote to memory of 472	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1764 wrote to memory of 472	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1764 wrote to memory of 472	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1764 wrote to memory of 1336	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1764 wrote to memory of 1336	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1764 wrote to memory of 1336	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 1764 wrote to memory of 1336	1764	fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe	cmd.exe
PID 472 wrote to memory of 1400	472	cmd.exe	netsh.exe
PID 472 wrote to memory of 1400	472	cmd.exe	netsh.exe
PID 472 wrote to memory of 1400	472	cmd.exe	netsh.exe
PID 1336 wrote to memory of 856	1336	cmd.exe	taskkill.exe
PID 1336 wrote to memory of 856	1336	cmd.exe	taskkill.exe
PID 1336 wrote to memory of 856	1336	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
"C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
  "C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe" g g g o n e123
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\System32\cmd.exe
    /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
      4⤵
      Modifies Windows Firewall
      PID:1400
- - C:\Windows\System32\cmd.exe
    /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:856
- C:\Windows\System32\cmd.exe
  /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

Filesize
225KB

MD5
f62590e838b1d13960abb6b363e03ed9

SHA1
66f706a7d39038964471e0a009a76e0f978fb075

SHA256
fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

SHA512
7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556

Download Submit
memory/472-61-0x0000000000000000-mapping.dmp

Download
memory/856-64-0x0000000000000000-mapping.dmp

Download
memory/960-57-0x0000000000000000-mapping.dmp

Download
memory/1124-60-0x0000000000000000-mapping.dmp

Download
memory/1336-62-0x0000000000000000-mapping.dmp

Download
memory/1400-63-0x0000000000000000-mapping.dmp

Download
memory/1400-65-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1764-55-0x0000000000000000-mapping.dmp

Download
memory/1764-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads