Overview

overview

10

Static

static

10

931cab7fbc...1).exe

windows7-x64

10

931cab7fbc...1).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2022 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224 (1).exe

  • Size

    225KB

  • MD5

    e75c4033f31862d8e71afe87620e2cce

  • SHA1

    ff5095b2501fd9beee4fbe0f2a17a3151b540476

  • SHA256

    931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224

  • SHA512

    00210ec5079aa9adbe594b009ec0f6f866295fb4191dc55c4214cb876e88bfc81aa41701dfa7c7b4964363fded98d78d1b0361b78c62a80bea07dad52f7ce5f0

  • SSDEEP

    6144:xQJmXLQwAhWUkJ0kfV50DErCMxgTw7ozFD254W:xeeLQwAi07DKGcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>9C6K/FYOguQq6RjqcEyb3TDkZQg/REByD7yqlxZA8A3qtR+7lBBBsFHvxWtafTJ2 fkJ/vQoCZoHmZQnMont6aBZi6uaknXAlhgZdV0c/rWmjGeSIxby+sclTigydtojw CGa7SkZpqLnKSA/7QLKoIRUeCVihr3x+nkIFM4YS99sZIdgpynJcE466DXdoyxlK HK8oOCe2cAwBmsEvtcGo8abo3gMNKDx4TrBuTLQrCJw2HdiSWzdnVQLE/5gTO7ot A2IQdNtMgO+N0a8o63XQN1IEMy0lu9ddYw5//ZEVrcjMNt0HLicRB5mIHNEszDQ2 53LA2BdVI/U+6bRqjgaE5O9Wy37dxrzeda+ZuTPx/zK+mcPrtYZyeYO8pE6eHeLX jB3sZVeFG9BqFTuh9MAmqcjQnDyXISwP9DKjyEAK+qCetj8GDJobkNBEN4Kddjam 6rKpjnW0VQ4qxF4vBq/L7EeCQeiXl9+zC/GCwn9dyoNg0oqRADTJqCCBRWxRYE2p B9ey5DnMJ+reKmz+F5tzlnfLiCcOTUVbysEkBNDtq2YpmbTs3uCXjKi0wjo9uHDs p7cxKuMMUdKDTAHjXcSykOP3jSDFS89PwcmNkS6RewvFS8I/w0MJZ+ECgFZG9rPn /W57eeqKsg== </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>9C6K/FYOguQq6RjqcEyb3TDkZQg/REByD7yqlxZA8A3qtR+7lBBBsFHvxWtafTJ2

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\2015343831972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Signatures

  • Venus

    Venus is a ransomware first seen in 2022.

    ransomwarevenus
  • Venus Ransomware 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Modifies extensions of user files 26 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224 (1).exe
    "C:\Users\Admin\AppData\Local\Temp\931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224 (1).exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224 (1).exe
      "C:\Windows\931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224 (1).exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Windows\System32\cmd.exe
        /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
          4⤵
          • Modifies Windows Firewall
          PID:260
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1160
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6032
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:6076
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2696
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:6188
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:6292
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\2015343831972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:4104
    • C:\Windows\System32\cmd.exe
      /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224 (1).exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\system32\PING.EXE
        ping localhost -n 3
        3⤵
        • Runs ping.exe
        PID:3056
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:6120
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2208
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:5956
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2015343831972527219.hta
      Filesize

      1KB

      MD5

      0089e9df914529756c04019714de5e34

      SHA1

      0a940de2bf6eb5e5194f733f70604dffa41087ce

      SHA256

      6fc68341673e7ac45c14d9830a00777a4d363c6d62b25e493db5165453df9802

      SHA512

      2389372375e6d94fb09634387ee70cb17d777b66da9aee727fe7f8da6c07acdb40512665487ede98d74cb019e4ec2676cd929b2c2183f03323993e0c9ffbe175

      Download Submit

    • C:\Windows\931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224 (1).exe
      Filesize

      225KB

      MD5

      e75c4033f31862d8e71afe87620e2cce

      SHA1

      ff5095b2501fd9beee4fbe0f2a17a3151b540476

      SHA256

      931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224

      SHA512

      00210ec5079aa9adbe594b009ec0f6f866295fb4191dc55c4214cb876e88bfc81aa41701dfa7c7b4964363fded98d78d1b0361b78c62a80bea07dad52f7ce5f0

      Download Submit

    • C:\Windows\931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224 (1).exe
      Filesize

      225KB

      MD5

      e75c4033f31862d8e71afe87620e2cce

      SHA1

      ff5095b2501fd9beee4fbe0f2a17a3151b540476

      SHA256

      931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224

      SHA512

      00210ec5079aa9adbe594b009ec0f6f866295fb4191dc55c4214cb876e88bfc81aa41701dfa7c7b4964363fded98d78d1b0361b78c62a80bea07dad52f7ce5f0

      Download Submit

    • memory/260-141-0x0000000000000000-mapping.dmp

      Download

    • memory/1056-140-0x0000000000000000-mapping.dmp

      Download

    • memory/1160-142-0x0000000000000000-mapping.dmp

      Download

    • memory/1688-132-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2696-146-0x0000000000000000-mapping.dmp

      Download

    • memory/3056-139-0x0000000000000000-mapping.dmp

      Download

    • memory/4104-147-0x0000000000000000-mapping.dmp

      Download

    • memory/4468-135-0x0000000000000000-mapping.dmp

      Download

    • memory/4580-138-0x0000000000000000-mapping.dmp

      Download

    • memory/4916-143-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4916-137-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4916-133-0x0000000000000000-mapping.dmp

      Download

    • memory/6032-144-0x0000000000000000-mapping.dmp

      Download

    • memory/6076-145-0x0000000000000000-mapping.dmp

      Download

    • memory/6188-149-0x0000000000000000-mapping.dmp

      Download

    • memory/6292-150-0x0000000000000000-mapping.dmp

      Download