13c2f14da985be19ee598514bd96e8a7a75ebfa297560d8bc64f9673693b3c67

General

Target

Venom5-HVNC-Rat.exe
Size

9.6MB
MD5

7e0817e3a41335f54a977e51fc226d16
SHA1

7d8d8fa29e93485411c9071e5add28027ca6b4b5
SHA256

13c2f14da985be19ee598514bd96e8a7a75ebfa297560d8bc64f9673693b3c67
SHA512

ccfab96b17073a70f85e01f8e322a0836439ca08fab58de359a732ed48136ee2a08c1cb55f1a63f421f70f3a778960bb3392c69fce448637a62e0f2e88e899d8
SSDEEP

196608:J1hG0XvXdb5e0hnHTW3GwhXscv84MzaVpXeEWgJfbC1xllS7o/rlf4:J15db5eaHT4GYrvbMG6K+jQ4hw

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

crack.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe

Executes dropped EXE 1 IoCs

Processes:

crack.exe

pid process

1672 crack.exe
Loads dropped DLL 4 IoCs

Processes:

Venom5-HVNC-Rat.exe

pid process

1712 Venom5-HVNC-Rat.exe
1712 Venom5-HVNC-Rat.exe
1712 Venom5-HVNC-Rat.exe
1712 Venom5-HVNC-Rat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1672	crack.exe

pid	process
1712	Venom5-HVNC-Rat.exe
1712	Venom5-HVNC-Rat.exe
1712	Venom5-HVNC-Rat.exe
1712	Venom5-HVNC-Rat.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Venom5-HVNC-Rat.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	Venom5-HVNC-Rat.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

crack.exe

pid process

1672 crack.exe

pid	process
1672	crack.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	392	AUDIODG.EXE
Token: 33	392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	392	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Venom5-HVNC-Rat.exe

pid process

1712 Venom5-HVNC-Rat.exe
1712 Venom5-HVNC-Rat.exe

pid	process
1712	Venom5-HVNC-Rat.exe
1712	Venom5-HVNC-Rat.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Venom5-HVNC-Rat.exe

description	pid	process	target process
PID 1712 wrote to memory of 1672	1712	Venom5-HVNC-Rat.exe	crack.exe
PID 1712 wrote to memory of 1672	1712	Venom5-HVNC-Rat.exe	crack.exe
PID 1712 wrote to memory of 1672	1712	Venom5-HVNC-Rat.exe	crack.exe
PID 1712 wrote to memory of 1672	1712	Venom5-HVNC-Rat.exe	crack.exe

C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.exe
"C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1672

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:392

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
163bdc6f6240d733abf9083ac7e4eced

SHA1
cf59478a54791bdbfc7e72e66e6e350cd6940a08

SHA256
cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9

SHA512
e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
163bdc6f6240d733abf9083ac7e4eced

SHA1
cf59478a54791bdbfc7e72e66e6e350cd6940a08

SHA256
cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9

SHA512
e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
163bdc6f6240d733abf9083ac7e4eced

SHA1
cf59478a54791bdbfc7e72e66e6e350cd6940a08

SHA256
cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9

SHA512
e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311

Download Submit
C:\Users\Admin\AppData\Local\Temp\packages\Vestris.ResourceLib.2.2.0-beta0004\lib\net40\Vestris.ResourceLib.xml
Filesize
286KB

MD5
5d2dee455b4003b6624b6dd890edb279

SHA1
4cdb025c8c5935bfc49871fca80fc4a346acd579

SHA256
02b4fd6d46ffc9411e4688a5b088fbc7d34062024e1c93637535e093319c35b6

SHA512
90f0123b6300a2fe53b7da8b50253c5807950da96dd0010e2494cc9f14d339d7a131c9653f29a585c2647634537cfbc1a1d84debc33a1b96bf7f01b88eaedee9

Download Submit
\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
163bdc6f6240d733abf9083ac7e4eced

SHA1
cf59478a54791bdbfc7e72e66e6e350cd6940a08

SHA256
cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9

SHA512
e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311

Download Submit
\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
163bdc6f6240d733abf9083ac7e4eced

SHA1
cf59478a54791bdbfc7e72e66e6e350cd6940a08

SHA256
cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9

SHA512
e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311

Download Submit
\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
163bdc6f6240d733abf9083ac7e4eced

SHA1
cf59478a54791bdbfc7e72e66e6e350cd6940a08

SHA256
cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9

SHA512
e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311

Download Submit
\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
163bdc6f6240d733abf9083ac7e4eced

SHA1
cf59478a54791bdbfc7e72e66e6e350cd6940a08

SHA256
cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9

SHA512
e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311

Download Submit
memory/1672-383-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1672-386-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download
memory/1672-387-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads