Resubmissions

01-04-2024 16:38

240401-t5wxbaab86 10

01-04-2024 03:29

240401-d17v1scd5z 10

General

  • Target

    0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

  • Size

    225KB

  • Sample

    240401-t5wxbaab86

  • MD5

    8691dae21568faaeda49bcd640e1ad23

  • SHA1

    524b589ef403ff21cf040ef33c21b1d6d8235feb

  • SHA256

    0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

  • SHA512

    870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

  • SSDEEP

    6144:2NRgzJmXrQwAPj5XJkcXV50DErs5xgTw7ozFz254W:URglerQwAjkzDZGcoxfW

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3454529971972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

    • Size

      225KB

    • MD5

      8691dae21568faaeda49bcd640e1ad23

    • SHA1

      524b589ef403ff21cf040ef33c21b1d6d8235feb

    • SHA256

      0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

    • SHA512

      870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

    • SSDEEP

      6144:2NRgzJmXrQwAPj5XJkcXV50DErs5xgTw7ozFz254W:URglerQwAjkzDZGcoxfW

    • Venus

      Venus is a ransomware first seen in 2022.

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (8634) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks