Overview

overview

10

Static

static

10

0a1dbcff63...be.exe

windows7-x64

10

0a1dbcff63...be.exe

windows10-2004-x64

10

Resubmissions

01-04-2024 16:38

240401-t5wxbaab86 10

01-04-2024 03:29

240401-d17v1scd5z 10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2024 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

  • Size

    225KB

  • MD5

    8691dae21568faaeda49bcd640e1ad23

  • SHA1

    524b589ef403ff21cf040ef33c21b1d6d8235feb

  • SHA256

    0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

  • SHA512

    870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

  • SSDEEP

    6144:2NRgzJmXrQwAPj5XJkcXV50DErs5xgTw7ozFz254W:URglerQwAjkzDZGcoxfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\5477845241972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Signatures

  • Venus

    Venus is a ransomware first seen in 2022.

    ransomwarevenus
  • Venus Ransomware 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Renames multiple (8904) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
    "C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
      "C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe" g g g o n e123
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1188
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:7760
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:8380
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:8484
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:8640
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:8300
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\5477845241972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:6884
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:1684
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:7672
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:7108
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:7628
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:7416

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.venus
        Filesize

        3.3MB

        MD5

        a5e33059941ce9ace52fa1e04c4c5d47

        SHA1

        f0b35e94c4507d8a3e6763c1311466d32fb40d4b

        SHA256

        a695f2e9f2bda29a79c314f5317eb32313353a87c0eea0549fa53d6d877f6f38

        SHA512

        aea436b90058437d77a2526aef2c8774a3a87dca644cafdd584331766afcccccec8983700ffdc2a124ec739daa95b1ea8caa4afe4775d0bd4cada1ce9b5e0523

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5477845241972527219.hta
        Filesize

        1KB

        MD5

        8b21851812e49cf5fdf41f27f86ed7ed

        SHA1

        9f0508f620125a3b2c65583526605595d5573871

        SHA256

        5319b9b9a47498219a6a17c5a8da3065dc101d96b8319c4ec238cedd10071c0b

        SHA512

        42f77c979020d5c34fe3590cf40405bc2ec3b4fe6b2aebe92b1f3f48f327315b854b2941f7e15f3b61d6b62ce8fd357c942ee7f183112a0d718a9c0b671412af

        Download Submit

      • C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
        Filesize

        225KB

        MD5

        8691dae21568faaeda49bcd640e1ad23

        SHA1

        524b589ef403ff21cf040ef33c21b1d6d8235feb

        SHA256

        0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

        SHA512

        870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

        Download Submit

      • \??\PIPE\srvsvc
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit

      • memory/3312-40-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3596-0-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3596-33-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download