Resubmissions

01-04-2024 16:38

240401-t5wxbaab86 10

01-04-2024 03:29

240401-d17v1scd5z 10

Analysis

  • max time kernel
    94s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2024 16:38

General

  • Target

    0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

  • Size

    225KB

  • MD5

    8691dae21568faaeda49bcd640e1ad23

  • SHA1

    524b589ef403ff21cf040ef33c21b1d6d8235feb

  • SHA256

    0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

  • SHA512

    870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

  • SSDEEP

    6144:2NRgzJmXrQwAPj5XJkcXV50DErs5xgTw7ozFz254W:URglerQwAjkzDZGcoxfW

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\25221965441972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Signatures

  • Venus

    Venus is a ransomware first seen in 2022.

  • Venus Ransomware 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
  • Renames multiple (8906) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
    "C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
      "C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe" g g g o n e123
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4740
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4892
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:12676
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:13096
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:13360
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:13908
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:13948
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\25221965441972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:13424
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:4560
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:13160
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:13248
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:13300
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:13412

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.venus

        Filesize

        3.3MB

        MD5

        386d168d805a70cdd4c86057902daf4c

        SHA1

        47c8ac12dcc4efbeed9bebfc0e95ff423a9e9918

        SHA256

        683094b367943eed2c06da0a166eb0d5b8d59fa62c8ef951167d33963ca2f7b5

        SHA512

        5d8c3857cd94018eccdf825475ffcfc6650b93b6d71e395bc5104407de1bfce0566b82480938003a85f4f9d25f75401689c63f12e092299fd2743b815b6965f8

      • C:\Users\Admin\AppData\Local\Temp\25221965441972527219.hta

        Filesize

        1KB

        MD5

        8b21851812e49cf5fdf41f27f86ed7ed

        SHA1

        9f0508f620125a3b2c65583526605595d5573871

        SHA256

        5319b9b9a47498219a6a17c5a8da3065dc101d96b8319c4ec238cedd10071c0b

        SHA512

        42f77c979020d5c34fe3590cf40405bc2ec3b4fe6b2aebe92b1f3f48f327315b854b2941f7e15f3b61d6b62ce8fd357c942ee7f183112a0d718a9c0b671412af

      • C:\Windows\0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be.exe

        Filesize

        225KB

        MD5

        8691dae21568faaeda49bcd640e1ad23

        SHA1

        524b589ef403ff21cf040ef33c21b1d6d8235feb

        SHA256

        0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

        SHA512

        870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

      • \Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini.venus

        Filesize

        276B

        MD5

        06186d548d545671361dc612116496b4

        SHA1

        4e65917beaf767060c29398cf816d41202b6b850

        SHA256

        e6da380e20deef4c46a5e32d0f89b540ad905ddb5fd3945a774c53651d59d612

        SHA512

        b16570ceba0898f99a1ae937bb113cc8949901ffd533639e67b1088fa0c6628bc45d5631e15497e89ed8967615cf89d8b91fe28b92c5868356ca73d772e5e790

      • memory/1960-0-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

      • memory/1960-33-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

      • memory/4740-39-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB