venus | 0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

General

Target

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
Size

225KB
MD5

8691dae21568faaeda49bcd640e1ad23
SHA1

524b589ef403ff21cf040ef33c21b1d6d8235feb
SHA256

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be
SHA512

870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d
SSDEEP

6144:2NRgzJmXrQwAPj5XJkcXV50DErs5xgTw7ozFz254W:URglerQwAjkzDZGcoxfW

Score

10^/10

venus evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\31866906861972527219.hta

Ransom Note

<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]

Emails

email:[email protected]

Signatures

Venus
Venus is a ransomware first seen in 2022.
ransomware venus

Venus Ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	family_venus
behavioral1/memory/3036-10-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/memory/2152-13-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/memory/2152-2649-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

4036 bcdedit.exe
Renames multiple (8640) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3848 wbadmin.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2564 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

pid process

2152 0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4036	bcdedit.exe

pid	process
3848	wbadmin.exe

pid	process
2564	cmd.exe

pid	process
2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe = "C:\\Windows\\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe"	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Drops desktop.ini file(s) 51 IoCs

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CJQLK5UF\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y3HLRHFA\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	\Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5B8DS9TT\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JQHF6B80\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

description	ioc	process
File opened (read-only)	\??\G:	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened (read-only)	\??\F:	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened (read-only)	\??\E:	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\31866906861972527219.jpg"	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Drops file in Program Files directory 64 IoCs

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107344.WMF	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107446.WMF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200183.WMF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00837_.WMF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\THMBNAIL.PNG.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153087.WMF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.INF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01434_.WMF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01701_.WMF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00270_.WMF	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHLTS.DLL.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL105.XML.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\GRAY.pf.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msaddsr.dll.mui	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_zh-CN.dll.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21527_.GIF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01301_.GIF	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\TableTextService.dll.mui	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Drops file in Windows directory 2 IoCs

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

description	ioc	process
File created	C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
File created	C:\Windows\31866906861972527219.png	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3800 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2684 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
3800	vssadmin.exe

pid	process
2684	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 3 IoCs

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\31866906861972527219.png"	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2692 PING.EXE

pid	process
2692	PING.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exetaskkill.exewbengine.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
Token: SeTcbPrivilege	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
Token: SeTakeOwnershipPrivilege	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
Token: SeSecurityPrivilege	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeBackupPrivilege	4972	wbengine.exe
Token: SeRestorePrivilege	4972	wbengine.exe
Token: SeSecurityPrivilege	4972	wbengine.exe
Token: SeBackupPrivilege	4352	vssvc.exe
Token: SeRestorePrivilege	4352	vssvc.exe
Token: SeAuditPrivilege	4352	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4840	WMIC.exe
Token: SeSecurityPrivilege	4840	WMIC.exe
Token: SeTakeOwnershipPrivilege	4840	WMIC.exe
Token: SeLoadDriverPrivilege	4840	WMIC.exe
Token: SeSystemProfilePrivilege	4840	WMIC.exe
Token: SeSystemtimePrivilege	4840	WMIC.exe
Token: SeProfSingleProcessPrivilege	4840	WMIC.exe
Token: SeIncBasePriorityPrivilege	4840	WMIC.exe
Token: SeCreatePagefilePrivilege	4840	WMIC.exe
Token: SeBackupPrivilege	4840	WMIC.exe
Token: SeRestorePrivilege	4840	WMIC.exe
Token: SeShutdownPrivilege	4840	WMIC.exe
Token: SeDebugPrivilege	4840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4840	WMIC.exe
Token: SeRemoteShutdownPrivilege	4840	WMIC.exe
Token: SeUndockPrivilege	4840	WMIC.exe
Token: SeManageVolumePrivilege	4840	WMIC.exe
Token: 33	4840	WMIC.exe
Token: 34	4840	WMIC.exe
Token: 35	4840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4840	WMIC.exe
Token: SeSecurityPrivilege	4840	WMIC.exe
Token: SeTakeOwnershipPrivilege	4840	WMIC.exe
Token: SeLoadDriverPrivilege	4840	WMIC.exe
Token: SeSystemProfilePrivilege	4840	WMIC.exe
Token: SeSystemtimePrivilege	4840	WMIC.exe
Token: SeProfSingleProcessPrivilege	4840	WMIC.exe
Token: SeIncBasePriorityPrivilege	4840	WMIC.exe
Token: SeCreatePagefilePrivilege	4840	WMIC.exe
Token: SeBackupPrivilege	4840	WMIC.exe
Token: SeRestorePrivilege	4840	WMIC.exe
Token: SeShutdownPrivilege	4840	WMIC.exe
Token: SeDebugPrivilege	4840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4840	WMIC.exe
Token: SeRemoteShutdownPrivilege	4840	WMIC.exe
Token: SeUndockPrivilege	4840	WMIC.exe
Token: SeManageVolumePrivilege	4840	WMIC.exe
Token: 33	4840	WMIC.exe
Token: 34	4840	WMIC.exe
Token: 35	4840	WMIC.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3036 wrote to memory of 2152	3036	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
PID 3036 wrote to memory of 2152	3036	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
PID 3036 wrote to memory of 2152	3036	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
PID 3036 wrote to memory of 2152	3036	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
PID 3036 wrote to memory of 2564	3036	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 3036 wrote to memory of 2564	3036	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 3036 wrote to memory of 2564	3036	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 3036 wrote to memory of 2564	3036	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 2152 wrote to memory of 2676	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 2152 wrote to memory of 2676	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 2152 wrote to memory of 2676	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 2152 wrote to memory of 2676	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 2676 wrote to memory of 2684	2676	cmd.exe	taskkill.exe
PID 2676 wrote to memory of 2684	2676	cmd.exe	taskkill.exe
PID 2676 wrote to memory of 2684	2676	cmd.exe	taskkill.exe
PID 2564 wrote to memory of 2692	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2692	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2692	2564	cmd.exe	PING.EXE
PID 2152 wrote to memory of 4680	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 2152 wrote to memory of 4680	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 2152 wrote to memory of 4680	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 2152 wrote to memory of 4680	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	cmd.exe
PID 4680 wrote to memory of 3848	4680	cmd.exe	wbadmin.exe
PID 4680 wrote to memory of 3848	4680	cmd.exe	wbadmin.exe
PID 4680 wrote to memory of 3848	4680	cmd.exe	wbadmin.exe
PID 4680 wrote to memory of 3800	4680	cmd.exe	vssadmin.exe
PID 4680 wrote to memory of 3800	4680	cmd.exe	vssadmin.exe
PID 4680 wrote to memory of 3800	4680	cmd.exe	vssadmin.exe
PID 2152 wrote to memory of 4316	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	mshta.exe
PID 2152 wrote to memory of 4316	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	mshta.exe
PID 2152 wrote to memory of 4316	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	mshta.exe
PID 2152 wrote to memory of 4316	2152	0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe	mshta.exe
PID 4680 wrote to memory of 4036	4680	cmd.exe	bcdedit.exe
PID 4680 wrote to memory of 4036	4680	cmd.exe	bcdedit.exe
PID 4680 wrote to memory of 4036	4680	cmd.exe	bcdedit.exe
PID 4680 wrote to memory of 4840	4680	cmd.exe	WMIC.exe
PID 4680 wrote to memory of 4840	4680	cmd.exe	WMIC.exe
PID 4680 wrote to memory of 4840	4680	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
"C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
  "C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe" g g g o n e123
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\System32\cmd.exe
    /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2684
- - C:\Windows\System32\cmd.exe
    /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:3848
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3800
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} nx AlwaysOff
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic SHADOWCOPY DELETE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4840
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\31866906861972527219.hta"
    3⤵
    - Modifies Internet Explorer settings
    PID:4316
- C:\Windows\System32\cmd.exe
  /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31866906861972527219.hta

Filesize
1KB

MD5
8b21851812e49cf5fdf41f27f86ed7ed

SHA1
9f0508f620125a3b2c65583526605595d5573871

SHA256
5319b9b9a47498219a6a17c5a8da3065dc101d96b8319c4ec238cedd10071c0b

SHA512
42f77c979020d5c34fe3590cf40405bc2ec3b4fe6b2aebe92b1f3f48f327315b854b2941f7e15f3b61d6b62ce8fd357c942ee7f183112a0d718a9c0b671412af

Download Submit
C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

Filesize
225KB

MD5
8691dae21568faaeda49bcd640e1ad23

SHA1
524b589ef403ff21cf040ef33c21b1d6d8235feb

SHA256
0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

SHA512
870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

Download Submit
\Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini.venus

Filesize
276B

MD5
22f81180ea1b100ebcdcbf669f4ed81f

SHA1
e201c1aeb3828416d4438f393b2d05b629bfd52e

SHA256
910477e4c77aaabb245b28b861375f5a29502740bbe603235aca07e7b730774c

SHA512
7fe08dc5e4c88eeb8e3bae79a566b5a79835139a24ef4455c1f7aff26a77366634e3dfdad58376591c1983a75a30bf32de615ad350f1030773f8e34c5703cd03

Download Submit
memory/2152-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-2649-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-9-0x0000000002EC0000-0x0000000002EFE000-memory.dmp

Filesize
248KB

Download
memory/3036-12-0x0000000002EC0000-0x0000000002EFE000-memory.dmp

Filesize
248KB

Download
memory/3036-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads