Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 17:34
Behavioral task
behavioral1
Sample
Venom Software v6/VenomV6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom Software v6/VenomV6.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Venom Software v6/VenomV6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Venom Software v6/VenomV6.exe
Resource
win11-20240426-en
General
-
Target
Venom Software v6/VenomV6.exe
-
Size
146KB
-
MD5
3d49478072bf18339ef810c8ea7546b2
-
SHA1
c1047d72d4cdce21af4bb989ad1bee437edb7f80
-
SHA256
e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d
-
SHA512
f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c
-
SSDEEP
3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw
Malware Config
Extracted
C:\3R9qG8i3Z.README.txt
https://t.me/mr_robot_unlock
Signatures
-
Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
C800.tmppid process 2132 C800.tmp -
Executes dropped EXE 1 IoCs
Processes:
C800.tmppid process 2132 C800.tmp -
Loads dropped DLL 1 IoCs
Processes:
VenomV6.exepid process 2460 VenomV6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
VenomV6.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini VenomV6.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini VenomV6.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
VenomV6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3R9qG8i3Z.bmp" VenomV6.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3R9qG8i3Z.bmp" VenomV6.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
VenomV6.exeC800.tmppid process 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2132 C800.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
VenomV6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop VenomV6.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10" VenomV6.exe -
Modifies registry class 5 IoCs
Processes:
VenomV6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z VenomV6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z\ = "3R9qG8i3Z" VenomV6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon VenomV6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z VenomV6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon\ = "C:\\ProgramData\\3R9qG8i3Z.ico" VenomV6.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
VenomV6.exepid process 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe 2460 VenomV6.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
C800.tmppid process 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp 2132 C800.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
VenomV6.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeDebugPrivilege 2460 VenomV6.exe Token: 36 2460 VenomV6.exe Token: SeImpersonatePrivilege 2460 VenomV6.exe Token: SeIncBasePriorityPrivilege 2460 VenomV6.exe Token: SeIncreaseQuotaPrivilege 2460 VenomV6.exe Token: 33 2460 VenomV6.exe Token: SeManageVolumePrivilege 2460 VenomV6.exe Token: SeProfSingleProcessPrivilege 2460 VenomV6.exe Token: SeRestorePrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSystemProfilePrivilege 2460 VenomV6.exe Token: SeTakeOwnershipPrivilege 2460 VenomV6.exe Token: SeShutdownPrivilege 2460 VenomV6.exe Token: SeDebugPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeBackupPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe Token: SeSecurityPrivilege 2460 VenomV6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
VenomV6.exeC800.tmpdescription pid process target process PID 2460 wrote to memory of 2132 2460 VenomV6.exe C800.tmp PID 2460 wrote to memory of 2132 2460 VenomV6.exe C800.tmp PID 2460 wrote to memory of 2132 2460 VenomV6.exe C800.tmp PID 2460 wrote to memory of 2132 2460 VenomV6.exe C800.tmp PID 2460 wrote to memory of 2132 2460 VenomV6.exe C800.tmp PID 2132 wrote to memory of 2212 2132 C800.tmp cmd.exe PID 2132 wrote to memory of 2212 2132 C800.tmp cmd.exe PID 2132 wrote to memory of 2212 2132 C800.tmp cmd.exe PID 2132 wrote to memory of 2212 2132 C800.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom Software v6\VenomV6.exe"C:\Users\Admin\AppData\Local\Temp\Venom Software v6\VenomV6.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\C800.tmp"C:\ProgramData\C800.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C800.tmp >> NUL3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1501⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.iniFilesize
129B
MD5756745dc40ecc4f8d17d548d6a971037
SHA1d806d53cc8cd197568ba7ab96387c5beb24907ed
SHA25675d1a273163895c3a8d7a3b10b9e1ca4cfde595022ca61173567aac809fd6db0
SHA51261c7a6176f082708cfedbadb32345fa741774cdc7d0506cf5730eb2155728a4d750fe81008705ca0b98ca8a3827f5df6e5c7e9032c33c88fb0b00336efb264e2
-
C:\3R9qG8i3Z.README.txtFilesize
953B
MD5121d3bbdf3718554f28d1ae5f5f1fae0
SHA14b235a3ce5b80d575fe4f46324ec883e7d073a8e
SHA256e5a64138346e2bedc1773ae5a6abfac99d472cd9e7017425fd533ee1282b95d7
SHA512de51933cea180d916df32557201bada1f0f487110ef1b3383978c38013d8251c245afb939348553c052566927d735875af1cb1bece7c2952a2d12b837a7b3230
-
C:\Users\Admin\AppData\Local\Temp\Venom Software v6\DDDDDDDDDDDFilesize
146KB
MD58beeca87a84078f11d0a2116fa5208d8
SHA15a8eb2082e6f4af044a547712002e144cb5be335
SHA2567714cc09ea43201bee461b75ed1ec7ff8fdd26b669255da3ec95f989733cf04a
SHA5124724247d2d8684b808c11f0aa7a74db5d1b87e9d374adeebd5bc175cb85f2ed623ad4a186b99f093c08338a48b3e58d3bf9b708e016ba9a9b3b76f6064ea2bed
-
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDDFilesize
129B
MD5363af566d3c5729576fa036557ba256a
SHA1a13594046e2c617ca9d75aba8ecbf6b28b1137c1
SHA25674f08b06568e60a5ffdcfc8aa411fe30c1f285f465e215dc2d2f9a0a97ddda33
SHA512160672ff7026458149c4d0d8e6a1fc3716be68d3f61865b01955882d8b0c808b6642a8a274e65419006914ffcc8319b791c7e616084c7354a861bcdc05fdc7fd
-
\ProgramData\C800.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
memory/2132-847-0x000000007EF80000-0x000000007EF81000-memory.dmpFilesize
4KB
-
memory/2132-846-0x00000000020F0000-0x0000000002130000-memory.dmpFilesize
256KB
-
memory/2132-845-0x00000000020F0000-0x0000000002130000-memory.dmpFilesize
256KB
-
memory/2132-844-0x000000007EFA0000-0x000000007EFA1000-memory.dmpFilesize
4KB
-
memory/2132-848-0x000000007EF20000-0x000000007EF21000-memory.dmpFilesize
4KB
-
memory/2132-877-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/2132-878-0x000000007EF60000-0x000000007EF61000-memory.dmpFilesize
4KB
-
memory/2460-0-0x0000000000160000-0x00000000001A0000-memory.dmpFilesize
256KB