Analysis
-
max time kernel
269s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-05-2024 17:34
Behavioral task
behavioral1
Sample
Venom Software v6/VenomV6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom Software v6/VenomV6.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Venom Software v6/VenomV6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Venom Software v6/VenomV6.exe
Resource
win11-20240426-en
General
-
Target
Venom Software v6/VenomV6.exe
-
Size
146KB
-
MD5
3d49478072bf18339ef810c8ea7546b2
-
SHA1
c1047d72d4cdce21af4bb989ad1bee437edb7f80
-
SHA256
e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d
-
SHA512
f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c
-
SSDEEP
3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw
Malware Config
Extracted
C:\3R9qG8i3Z.README.txt
https://t.me/mr_robot_unlock
Signatures
-
Renames multiple (544) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
7348.tmppid process 2516 7348.tmp -
Executes dropped EXE 1 IoCs
Processes:
7348.tmppid process 2516 7348.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
VenomV6.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1739856679-3467441365-73334005-1000\desktop.ini VenomV6.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1739856679-3467441365-73334005-1000\desktop.ini VenomV6.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\PPq07hntju8i_85h4i973ux6i1b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPwcmdyucwnbb1w3zk9gnk30l.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPotmz1v21xa7ea2d84epas73fd.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
VenomV6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3R9qG8i3Z.bmp" VenomV6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3R9qG8i3Z.bmp" VenomV6.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
VenomV6.exe7348.tmppid process 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 2516 7348.tmp -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
VenomV6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop VenomV6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\WallpaperStyle = "10" VenomV6.exe -
Modifies registry class 5 IoCs
Processes:
VenomV6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon\ = "C:\\ProgramData\\3R9qG8i3Z.ico" VenomV6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z VenomV6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z\ = "3R9qG8i3Z" VenomV6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon VenomV6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z VenomV6.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
VenomV6.exeONENOTE.EXEpid process 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4512 VenomV6.exe 4252 ONENOTE.EXE 4252 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
7348.tmppid process 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp 2516 7348.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
VenomV6.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeDebugPrivilege 4512 VenomV6.exe Token: 36 4512 VenomV6.exe Token: SeImpersonatePrivilege 4512 VenomV6.exe Token: SeIncBasePriorityPrivilege 4512 VenomV6.exe Token: SeIncreaseQuotaPrivilege 4512 VenomV6.exe Token: 33 4512 VenomV6.exe Token: SeManageVolumePrivilege 4512 VenomV6.exe Token: SeProfSingleProcessPrivilege 4512 VenomV6.exe Token: SeRestorePrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSystemProfilePrivilege 4512 VenomV6.exe Token: SeTakeOwnershipPrivilege 4512 VenomV6.exe Token: SeShutdownPrivilege 4512 VenomV6.exe Token: SeDebugPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeBackupPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe Token: SeSecurityPrivilege 4512 VenomV6.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE 4252 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
VenomV6.exeprintfilterpipelinesvc.exe7348.tmpdescription pid process target process PID 4512 wrote to memory of 4248 4512 VenomV6.exe splwow64.exe PID 4512 wrote to memory of 4248 4512 VenomV6.exe splwow64.exe PID 3084 wrote to memory of 4252 3084 printfilterpipelinesvc.exe ONENOTE.EXE PID 3084 wrote to memory of 4252 3084 printfilterpipelinesvc.exe ONENOTE.EXE PID 4512 wrote to memory of 2516 4512 VenomV6.exe 7348.tmp PID 4512 wrote to memory of 2516 4512 VenomV6.exe 7348.tmp PID 4512 wrote to memory of 2516 4512 VenomV6.exe 7348.tmp PID 4512 wrote to memory of 2516 4512 VenomV6.exe 7348.tmp PID 2516 wrote to memory of 4172 2516 7348.tmp cmd.exe PID 2516 wrote to memory of 4172 2516 7348.tmp cmd.exe PID 2516 wrote to memory of 4172 2516 7348.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom Software v6\VenomV6.exe"C:\Users\Admin\AppData\Local\Temp\Venom Software v6\VenomV6.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
-
C:\ProgramData\7348.tmp"C:\ProgramData\7348.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7348.tmp >> NUL3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{0ECF4E2B-757D-48B3-B308-E0AB136CFF19}.xps" 1336095934194900002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-1739856679-3467441365-73334005-1000\DDDDDDDDDDDFilesize
129B
MD5f1422739baa8d059d6815cf39e467b51
SHA127bfcc662aafc45e60ff5164fdbbeda3a3bca7c0
SHA256bcb63a1faf160407ee4d16edc9c1048fad284c7737072099a341f0983e27828f
SHA5129a450f95cdb774ec65bbc345433d6b5fe4448235f6d798de201dbb3f80f499c182fa44ff0e621e9a2bb0ca48a72f6e0fce2aed20ef36b8214df20f10fe06f39b
-
C:\3R9qG8i3Z.README.txtFilesize
953B
MD5ee03c530816e1cba6e79a52bb29dbdcc
SHA1ae60c28363fc60003d73f46e685018490e2db92d
SHA25615f0fb419b64911554b55f6e57b0680e62b6c80925b92eb139a3217629f6d93c
SHA5127369d65e61e7b5c19ce5df3df895373c16d481e48da551aa239bcd8c90645adde4be94634ce29c40926010fff7d0931fc88aeaafdf85d8e6624b803f2dd93f56
-
C:\ProgramData\7348.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\Venom Software v6\EEEEEEEEEEEFilesize
146KB
MD561bd11de650288362d735e444fe24c80
SHA1d1d5ce193ab45ba733254a20842c769a1ce4cc49
SHA256a91131638a9b49512e7c0eb41b5373ed48bb96c642ca30dcd72a4fd286bdbbae
SHA512bace0a2dfbe8edb4fdfc7dab3e36c9b63399bbe757ad974b7a7a4c24604511e0072d0f7be4d6b12adcbdbc1336d0d15da1a3e281b3ee34a88b1dacc5698dcfe7
-
C:\Users\Admin\AppData\Local\Temp\{84111197-27FD-4DBF-B1A6-51F16BEC613A}Filesize
4KB
MD5e591037783a916d034f3175c6e15c9c6
SHA1c303862dc8cf4e0f06bdafa30d73e0f66a77796c
SHA256974e4da043311a3460239dd2b1ed258949b6e9d9526d2a6bb6efd75be8deb07f
SHA5126987b4ddb913771cca2c86a3c81b72d652a1abfd379196885093c07a95c39e1905164097c33e984f041d0f69ab2730abc7793b21f573b1528eb348ee1d911d1f
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2Filesize
4KB
MD5deeacc2da890ad371f133bc3f95d7850
SHA17ec3f6d6ee529df6b2983e9f2abcfa3ab4030366
SHA25687ff3a5cfd5591013564105cfba25baa68090139190aa3a6e63ffb91fb1cadbe
SHA512e9d69c0bf101387e547c455069d954eeefe4a87b808a2451997e87df8fdb3685609795b41dbc2ef35ea1203b9cb1e4ab6d50ccdf23cf690c051a160035f49a17
-
F:\$RECYCLE.BIN\S-1-5-21-1739856679-3467441365-73334005-1000\DDDDDDDDDDDFilesize
129B
MD53ac72332a801de0b4b7ae5f8356174a9
SHA124121ee0eb44157e4041ebc444c7380f91cbd774
SHA256e6c8dac55a3518bfd0fa9d222aefe61de0aaf29418c8cb5a44a338f8cf19ec55
SHA512eadc8a5e6e47794e8f4a8872daba2cbdd265b79afed0e9d433975cb08ad545c29401d8a081ec0ccb3c27f6f71f855c552fb561bbf823a699ebcf1bab460c927a
-
memory/2700-2628-0x000001B827BB0000-0x000001B827BB1000-memory.dmpFilesize
4KB
-
memory/2700-2546-0x000001B822EF0000-0x000001B822EF1000-memory.dmpFilesize
4KB
-
memory/2700-2574-0x000001B827A50000-0x000001B827A51000-memory.dmpFilesize
4KB
-
memory/2700-2489-0x000001B822E60000-0x000001B822E70000-memory.dmpFilesize
64KB
-
memory/2700-2589-0x000001B827B90000-0x000001B827B91000-memory.dmpFilesize
4KB
-
memory/4252-2926-0x00007FFE73420000-0x00007FFE73430000-memory.dmpFilesize
64KB
-
memory/4252-2925-0x00007FFE73420000-0x00007FFE73430000-memory.dmpFilesize
64KB
-
memory/4252-2927-0x00007FFE73420000-0x00007FFE73430000-memory.dmpFilesize
64KB
-
memory/4252-2928-0x00007FFE73420000-0x00007FFE73430000-memory.dmpFilesize
64KB
-
memory/4252-2959-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmpFilesize
64KB
-
memory/4252-2960-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmpFilesize
64KB
-
memory/4512-2908-0x0000000002790000-0x00000000027A0000-memory.dmpFilesize
64KB
-
memory/4512-2909-0x0000000002790000-0x00000000027A0000-memory.dmpFilesize
64KB
-
memory/4512-2-0x0000000002790000-0x00000000027A0000-memory.dmpFilesize
64KB
-
memory/4512-0-0x0000000002790000-0x00000000027A0000-memory.dmpFilesize
64KB
-
memory/4512-1-0x0000000002790000-0x00000000027A0000-memory.dmpFilesize
64KB