e15032dd5c14a1149274faf83ed306ab82fa0d90aa507c982025d4e2d32098c3

General

Target

Venom Software v6/VenomV6.exe
Size

146KB
MD5

3d49478072bf18339ef810c8ea7546b2
SHA1

c1047d72d4cdce21af4bb989ad1bee437edb7f80
SHA256

e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d
SHA512

f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c
SSDEEP

3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\3R9qG8i3Z.README.txt

Ransom Note

~~~ PC Locker 3.0 by Mr.Robot~~~ >>>> Your data are stolen and encrypted To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero. >>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID Contact the following account on telegram @mr_robot_unlock or paste this link in your browser https://t.me/mr_robot_unlock >>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC71B581D039F476B7 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS! >>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK! >>>> Advertisement Would you like to earn thousands of dollars $$$ ? We sell mentorship for stealers, DDOS and ransomware. We only work with professionals and people with money DO NOT WASTE OUR TIME.

URLs

https://t.me/mr_robot_unlock

Signatures

Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

C800.tmp

pid process

2132 C800.tmp
Executes dropped EXE 1 IoCs

Processes:

C800.tmp

pid process

2132 C800.tmp
Loads dropped DLL 1 IoCs

Processes:

VenomV6.exe

pid process

2460 VenomV6.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

VenomV6.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	VenomV6.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	VenomV6.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

VenomV6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3R9qG8i3Z.bmp"	VenomV6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3R9qG8i3Z.bmp"	VenomV6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

VenomV6.exeC800.tmp

pid process

2460 VenomV6.exe
2460 VenomV6.exe
2460 VenomV6.exe
2460 VenomV6.exe
2132 C800.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

VenomV6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	VenomV6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10"	VenomV6.exe

Modifies registry class 5 IoCs

Processes:

VenomV6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z	VenomV6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z\ = "3R9qG8i3Z"	VenomV6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon	VenomV6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z	VenomV6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon\ = "C:\\ProgramData\\3R9qG8i3Z.ico"	VenomV6.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

VenomV6.exe

pid	process
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe
2460	VenomV6.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

C800.tmp

pid	process
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp
2132	C800.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VenomV6.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeDebugPrivilege	2460	VenomV6.exe
Token: 36	2460	VenomV6.exe
Token: SeImpersonatePrivilege	2460	VenomV6.exe
Token: SeIncBasePriorityPrivilege	2460	VenomV6.exe
Token: SeIncreaseQuotaPrivilege	2460	VenomV6.exe
Token: 33	2460	VenomV6.exe
Token: SeManageVolumePrivilege	2460	VenomV6.exe
Token: SeProfSingleProcessPrivilege	2460	VenomV6.exe
Token: SeRestorePrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSystemProfilePrivilege	2460	VenomV6.exe
Token: SeTakeOwnershipPrivilege	2460	VenomV6.exe
Token: SeShutdownPrivilege	2460	VenomV6.exe
Token: SeDebugPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeBackupPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe
Token: SeSecurityPrivilege	2460	VenomV6.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

VenomV6.exeC800.tmp

description	pid	process	target process
PID 2460 wrote to memory of 2132	2460	VenomV6.exe	C800.tmp
PID 2460 wrote to memory of 2132	2460	VenomV6.exe	C800.tmp
PID 2460 wrote to memory of 2132	2460	VenomV6.exe	C800.tmp
PID 2460 wrote to memory of 2132	2460	VenomV6.exe	C800.tmp
PID 2460 wrote to memory of 2132	2460	VenomV6.exe	C800.tmp
PID 2132 wrote to memory of 2212	2132	C800.tmp	cmd.exe
PID 2132 wrote to memory of 2212	2132	C800.tmp	cmd.exe
PID 2132 wrote to memory of 2212	2132	C800.tmp	cmd.exe
PID 2132 wrote to memory of 2212	2132	C800.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Venom Software v6\VenomV6.exe
"C:\Users\Admin\AppData\Local\Temp\Venom Software v6\VenomV6.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\ProgramData\C800.tmp
"C:\ProgramData\C800.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C800.tmp >> NUL
3⤵
PID:2212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150
1⤵
PID:2964

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini
Filesize
129B

MD5
756745dc40ecc4f8d17d548d6a971037

SHA1
d806d53cc8cd197568ba7ab96387c5beb24907ed

SHA256
75d1a273163895c3a8d7a3b10b9e1ca4cfde595022ca61173567aac809fd6db0

SHA512
61c7a6176f082708cfedbadb32345fa741774cdc7d0506cf5730eb2155728a4d750fe81008705ca0b98ca8a3827f5df6e5c7e9032c33c88fb0b00336efb264e2

Download Submit
C:\3R9qG8i3Z.README.txt
Filesize
953B

MD5
121d3bbdf3718554f28d1ae5f5f1fae0

SHA1
4b235a3ce5b80d575fe4f46324ec883e7d073a8e

SHA256
e5a64138346e2bedc1773ae5a6abfac99d472cd9e7017425fd533ee1282b95d7

SHA512
de51933cea180d916df32557201bada1f0f487110ef1b3383978c38013d8251c245afb939348553c052566927d735875af1cb1bece7c2952a2d12b837a7b3230

Download Submit
C:\Users\Admin\AppData\Local\Temp\Venom Software v6\DDDDDDDDDDD
Filesize
146KB

MD5
8beeca87a84078f11d0a2116fa5208d8

SHA1
5a8eb2082e6f4af044a547712002e144cb5be335

SHA256
7714cc09ea43201bee461b75ed1ec7ff8fdd26b669255da3ec95f989733cf04a

SHA512
4724247d2d8684b808c11f0aa7a74db5d1b87e9d374adeebd5bc175cb85f2ed623ad4a186b99f093c08338a48b3e58d3bf9b708e016ba9a9b3b76f6064ea2bed

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD
Filesize
129B

MD5
363af566d3c5729576fa036557ba256a

SHA1
a13594046e2c617ca9d75aba8ecbf6b28b1137c1

SHA256
74f08b06568e60a5ffdcfc8aa411fe30c1f285f465e215dc2d2f9a0a97ddda33

SHA512
160672ff7026458149c4d0d8e6a1fc3716be68d3f61865b01955882d8b0c808b6642a8a274e65419006914ffcc8319b791c7e616084c7354a861bcdc05fdc7fd

Download Submit
\ProgramData\C800.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2132-847-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2132-846-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2132-845-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2132-844-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2132-848-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2132-877-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2132-878-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2460-0-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads