venus | 4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

General

Target

Venus.exe
Size

225KB
MD5

07f5fbcb96179acffab2638392d08fb8
SHA1

22d84ca8e620ef5fc0027b3e06876d1a04d10406
SHA256

4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498
SHA512

0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4
SSDEEP

6144:FQJmXLQwAhWUkJ0kfV50DEr2MxgTw7ozFD254W:FeeLQwAi07DWGcopfW

Score

10^/10

venus evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note

<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center"><<<Venus>>></h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>LNCLNWs7Gb1e8vB+wHPthFw7mpeo4QOCJH2S6Qr7jQrFC50Thgv08BVsFuHfiNN/ 3T+hpuihskopRXwAAefrvIcWPAroIbgpe+0CIWSF4qK8p1uO+PINW3ejnYYskBCF EEvzXaNL6aDWDGJVDN4obfW6SM2dZku7EtqknAwSsWT6b3yZGuJJaPAMiLKt6e6J nveVccQaJM4ExjcsGURVaLZG1hr9GOyiwhg2Jc9U7ITjzjEuD0Fys3kq1LzquP2K gAKzfra+6Ocg5UVJF957EOl4nmnkX+8A1AjUm3Bw+7J/9ugl2whgepL00Sz+6+7m LeLEonhNS3t6DL9QTUPsLdbuMmAVNfCrr9qpuYlCunV123VxixVvcR+ttFeOBSRu rwOmffYSpcwLzXhvde/VXZuoJ31bT7FTbPfmz7miuKXX+pBNCznFouNJayDKgPi+ H/wmceZyHzRkBmO0UP3KEJ4eqbzwYlQ6Ky3jSrE7u2Qak1psSIqzGCqk8tVBRWmQ W6MgcoOy2AarXvVTNPsuqLzcu8nANONPfMwS/yVcpg7ivGa9ouTTysXDtHteX31d RG/bmBldLnq3cOiOD7C47kkFi7Zq3o2iIdmdDTreSCX3TLIAhCHTSMEDdXRycbkO UtsnJeW02pc= </p></div></body></html></html></body></html>

Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>LNCLNWs7Gb1e8vB+wHPthFw7mpeo4QOCJH2S6Qr7jQrFC50Thgv08BVsFuHfiNN/

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\16165406601972527219.hta

Ransom Note

<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]

Emails

email:[email protected]

Signatures

Venus
Venus is a ransomware first seen in 2022.
ransomware venus

Venus Ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2500-132-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
C:\Windows\Venus.exe	family_venus
C:\Windows\Venus.exe	family_venus
behavioral2/memory/628-140-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral2/memory/628-143-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

6212 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

6092 wbadmin.exe
Executes dropped EXE 1 IoCs

Processes:

Venus.exe

pid process

628 Venus.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1816 netsh.exe

pid	process
6212	bcdedit.exe

pid	process
6092	wbadmin.exe

pid	process
628	Venus.exe

pid	process
1816	netsh.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Venus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\OptimizeConvertFrom.tiff	Venus.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeConvertFrom.tiff.venus	Venus.exe
File renamed	C:\Users\Admin\Pictures\ReceiveCompress.tif => C:\Users\Admin\Pictures\ReceiveCompress.tif.venus	Venus.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveCompress.tif.venus	Venus.exe
File renamed	C:\Users\Admin\Pictures\ReceiveRestart.raw => C:\Users\Admin\Pictures\ReceiveRestart.raw.venus	Venus.exe
File renamed	C:\Users\Admin\Pictures\UninstallExpand.tif => C:\Users\Admin\Pictures\UninstallExpand.tif.venus	Venus.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallExpand.tif.venus	Venus.exe
File renamed	C:\Users\Admin\Pictures\OptimizeConvertFrom.tiff => C:\Users\Admin\Pictures\OptimizeConvertFrom.tiff.venus	Venus.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveRestart.raw.venus	Venus.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Venus.exeVenus.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Venus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Venus.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Venus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Venus.exe = "C:\\Windows\\Venus.exe"	Venus.exe

Drops desktop.ini file(s) 34 IoCs

Processes:

Venus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\desktop.ini	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Venus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Venus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Venus.exe
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Venus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Venus.exe
File opened for modification	\Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini	Venus.exe
File opened for modification	C:\Program Files\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Venus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Venus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Venus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Venus.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Venus.exe

description ioc process

File opened (read-only) \??\E: Venus.exe
File opened (read-only) \??\F: Venus.exe

description	ioc	process
File opened (read-only)	\??\E:	Venus.exe
File opened (read-only)	\??\F:	Venus.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Venus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\16165406601972527219.jpg"	Venus.exe

Drops file in Program Files directory 64 IoCs

Processes:

Venus.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_contrast-white.png	Venus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ro.pak	Venus.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF.venus	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-100.png	Venus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\es.pak	Venus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.venus	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-200.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png	Venus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\icudt26l.dat	Venus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll.venus	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-200_contrast-white.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-black.png	Venus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	Venus.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.dll.venus	Venus.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties.venus	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.venus	Venus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll.venus	Venus.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui	Venus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Example3B.Diagnostics.Tests.ps1	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-100.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20_altform-unplated.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20_altform-unplated.png	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.venus	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.venus	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.venus	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2971393436-602173351-1645505021-1000-MergedResources-0.pri	Venus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.schema.mfl	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-100.png	Venus.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.venus	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-200_contrast-black.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	Venus.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar	Venus.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.venus	Venus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.venus	Venus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif	Venus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_zh-TW.dll	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.venus	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-150.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\mso0127.acl	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_contrast-white.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-200.png	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\Globals.hlsl	Venus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll.venus	Venus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penkor.dll	Venus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\gmail.crx	Venus.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\WinMetadata\Microsoft.UI.Xaml.winmd	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-150.png	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.venus	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	Venus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.venus	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms	Venus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.venus	Venus.exe

Drops file in Windows directory 2 IoCs

Processes:

Venus.exeVenus.exe

description ioc process

File created C:\Windows\Venus.exe Venus.exe
File created C:\Windows\16165406601972527219.png Venus.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Venus.exe	Venus.exe
File created	C:\Windows\16165406601972527219.png	Venus.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

620 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4436 taskkill.exe

pid	process
620	vssadmin.exe

pid	process
4436	taskkill.exe

Modifies registry class 5 IoCs

Processes:

Venus.exeVenus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\16165406601972527219.png"	Venus.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	Venus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Venus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus	Venus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon	Venus.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1416 PING.EXE

pid	process
1416	PING.EXE

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

Venus.exetaskkill.exewbengine.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	628	Venus.exe
Token: SeTcbPrivilege	628	Venus.exe
Token: SeTakeOwnershipPrivilege	628	Venus.exe
Token: SeSecurityPrivilege	628	Venus.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeBackupPrivilege	6128	wbengine.exe
Token: SeRestorePrivilege	6128	wbengine.exe
Token: SeSecurityPrivilege	6128	wbengine.exe
Token: SeBackupPrivilege	5084	vssvc.exe
Token: SeRestorePrivilege	5084	vssvc.exe
Token: SeAuditPrivilege	5084	vssvc.exe
Token: SeIncreaseQuotaPrivilege	6312	WMIC.exe
Token: SeSecurityPrivilege	6312	WMIC.exe
Token: SeTakeOwnershipPrivilege	6312	WMIC.exe
Token: SeLoadDriverPrivilege	6312	WMIC.exe
Token: SeSystemProfilePrivilege	6312	WMIC.exe
Token: SeSystemtimePrivilege	6312	WMIC.exe
Token: SeProfSingleProcessPrivilege	6312	WMIC.exe
Token: SeIncBasePriorityPrivilege	6312	WMIC.exe
Token: SeCreatePagefilePrivilege	6312	WMIC.exe
Token: SeBackupPrivilege	6312	WMIC.exe
Token: SeRestorePrivilege	6312	WMIC.exe
Token: SeShutdownPrivilege	6312	WMIC.exe
Token: SeDebugPrivilege	6312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6312	WMIC.exe
Token: SeRemoteShutdownPrivilege	6312	WMIC.exe
Token: SeUndockPrivilege	6312	WMIC.exe
Token: SeManageVolumePrivilege	6312	WMIC.exe
Token: 33	6312	WMIC.exe
Token: 34	6312	WMIC.exe
Token: 35	6312	WMIC.exe
Token: 36	6312	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6312	WMIC.exe
Token: SeSecurityPrivilege	6312	WMIC.exe
Token: SeTakeOwnershipPrivilege	6312	WMIC.exe
Token: SeLoadDriverPrivilege	6312	WMIC.exe
Token: SeSystemProfilePrivilege	6312	WMIC.exe
Token: SeSystemtimePrivilege	6312	WMIC.exe
Token: SeProfSingleProcessPrivilege	6312	WMIC.exe
Token: SeIncBasePriorityPrivilege	6312	WMIC.exe
Token: SeCreatePagefilePrivilege	6312	WMIC.exe
Token: SeBackupPrivilege	6312	WMIC.exe
Token: SeRestorePrivilege	6312	WMIC.exe
Token: SeShutdownPrivilege	6312	WMIC.exe
Token: SeDebugPrivilege	6312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6312	WMIC.exe
Token: SeRemoteShutdownPrivilege	6312	WMIC.exe
Token: SeUndockPrivilege	6312	WMIC.exe
Token: SeManageVolumePrivilege	6312	WMIC.exe
Token: 33	6312	WMIC.exe
Token: 34	6312	WMIC.exe
Token: 35	6312	WMIC.exe
Token: 36	6312	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Venus.exeVenus.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2500 wrote to memory of 628	2500	Venus.exe	Venus.exe
PID 2500 wrote to memory of 628	2500	Venus.exe	Venus.exe
PID 2500 wrote to memory of 628	2500	Venus.exe	Venus.exe
PID 2500 wrote to memory of 5012	2500	Venus.exe	cmd.exe
PID 2500 wrote to memory of 5012	2500	Venus.exe	cmd.exe
PID 628 wrote to memory of 1980	628	Venus.exe	cmd.exe
PID 628 wrote to memory of 1980	628	Venus.exe	cmd.exe
PID 628 wrote to memory of 2096	628	Venus.exe	cmd.exe
PID 628 wrote to memory of 2096	628	Venus.exe	cmd.exe
PID 5012 wrote to memory of 1416	5012	cmd.exe	PING.EXE
PID 5012 wrote to memory of 1416	5012	cmd.exe	PING.EXE
PID 1980 wrote to memory of 1816	1980	cmd.exe	netsh.exe
PID 1980 wrote to memory of 1816	1980	cmd.exe	netsh.exe
PID 2096 wrote to memory of 4436	2096	cmd.exe	taskkill.exe
PID 2096 wrote to memory of 4436	2096	cmd.exe	taskkill.exe
PID 628 wrote to memory of 6044	628	Venus.exe	cmd.exe
PID 628 wrote to memory of 6044	628	Venus.exe	cmd.exe
PID 6044 wrote to memory of 6092	6044	cmd.exe	wbadmin.exe
PID 6044 wrote to memory of 6092	6044	cmd.exe	wbadmin.exe
PID 628 wrote to memory of 5960	628	Venus.exe	mshta.exe
PID 628 wrote to memory of 5960	628	Venus.exe	mshta.exe
PID 628 wrote to memory of 5960	628	Venus.exe	mshta.exe
PID 6044 wrote to memory of 620	6044	cmd.exe	vssadmin.exe
PID 6044 wrote to memory of 620	6044	cmd.exe	vssadmin.exe
PID 6044 wrote to memory of 6212	6044	cmd.exe	bcdedit.exe
PID 6044 wrote to memory of 6212	6044	cmd.exe	bcdedit.exe
PID 6044 wrote to memory of 6312	6044	cmd.exe	WMIC.exe
PID 6044 wrote to memory of 6312	6044	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\Venus.exe
"C:\Users\Admin\AppData\Local\Temp\Venus.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\Venus.exe
  "C:\Windows\Venus.exe" g g g o n e123
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\System32\cmd.exe
    /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
      4⤵
      Modifies Windows Firewall
      PID:1816
- - C:\Windows\System32\cmd.exe
    /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4436
- - C:\Windows\System32\cmd.exe
    /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6044
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:6092
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:620
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} nx AlwaysOff
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic SHADOWCOPY DELETE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6312
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\16165406601972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:5960
- C:\Windows\System32\cmd.exe
  /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\Venus.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1416

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6128

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16165406601972527219.hta

Filesize
1KB

MD5
0089e9df914529756c04019714de5e34

SHA1
0a940de2bf6eb5e5194f733f70604dffa41087ce

SHA256
6fc68341673e7ac45c14d9830a00777a4d363c6d62b25e493db5165453df9802

SHA512
2389372375e6d94fb09634387ee70cb17d777b66da9aee727fe7f8da6c07acdb40512665487ede98d74cb019e4ec2676cd929b2c2183f03323993e0c9ffbe175

Download Submit
C:\Windows\Venus.exe

Filesize
225KB

MD5
07f5fbcb96179acffab2638392d08fb8

SHA1
22d84ca8e620ef5fc0027b3e06876d1a04d10406

SHA256
4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

SHA512
0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4

Download Submit
C:\Windows\Venus.exe

Filesize
225KB

MD5
07f5fbcb96179acffab2638392d08fb8

SHA1
22d84ca8e620ef5fc0027b3e06876d1a04d10406

SHA256
4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

SHA512
0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4

Download Submit
memory/620-147-0x0000000000000000-mapping.dmp

Download
memory/628-133-0x0000000000000000-mapping.dmp

Download
memory/628-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1416-139-0x0000000000000000-mapping.dmp

Download
memory/1816-141-0x0000000000000000-mapping.dmp

Download
memory/1980-137-0x0000000000000000-mapping.dmp

Download
memory/2096-138-0x0000000000000000-mapping.dmp

Download
memory/2500-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-142-0x0000000000000000-mapping.dmp

Download
memory/5012-135-0x0000000000000000-mapping.dmp

Download
memory/5960-146-0x0000000000000000-mapping.dmp

Download
memory/6044-144-0x0000000000000000-mapping.dmp

Download
memory/6092-145-0x0000000000000000-mapping.dmp

Download
memory/6212-149-0x0000000000000000-mapping.dmp

Download
memory/6312-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads