e15032dd5c14a1149274faf83ed306ab82fa0d90aa507c982025d4e2d32098c3

General

Target

Venom Software v6/VenomV6.exe
Size

146KB
MD5

3d49478072bf18339ef810c8ea7546b2
SHA1

c1047d72d4cdce21af4bb989ad1bee437edb7f80
SHA256

e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d
SHA512

f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c
SSDEEP

3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\3R9qG8i3Z.README.txt

Ransom Note

~~~ PC Locker 3.0 by Mr.Robot~~~ >>>> Your data are stolen and encrypted To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero. >>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID Contact the following account on telegram @mr_robot_unlock or paste this link in your browser https://t.me/mr_robot_unlock >>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC613271855F60B2DD >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS! >>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK! >>>> Advertisement Would you like to earn thousands of dollars $$$ ? We sell mentorship for stealers, DDOS and ransomware. We only work with professionals and people with money DO NOT WASTE OUR TIME.

URLs

https://t.me/mr_robot_unlock

Signatures

Renames multiple (544) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

7348.tmp

pid process

2516 7348.tmp
Executes dropped EXE 1 IoCs

Processes:

7348.tmp

pid process

2516 7348.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

VenomV6.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1739856679-3467441365-73334005-1000\desktop.ini	VenomV6.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1739856679-3467441365-73334005-1000\desktop.ini	VenomV6.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PPq07hntju8i_85h4i973ux6i1b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPwcmdyucwnbb1w3zk9gnk30l.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPotmz1v21xa7ea2d84epas73fd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

VenomV6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3R9qG8i3Z.bmp"	VenomV6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3R9qG8i3Z.bmp"	VenomV6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

VenomV6.exe7348.tmp

pid process

4512 VenomV6.exe
4512 VenomV6.exe
4512 VenomV6.exe
4512 VenomV6.exe
2516 7348.tmp
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

VenomV6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop	VenomV6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\WallpaperStyle = "10"	VenomV6.exe

Modifies registry class 5 IoCs

Processes:

VenomV6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon\ = "C:\\ProgramData\\3R9qG8i3Z.ico"	VenomV6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z	VenomV6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z\ = "3R9qG8i3Z"	VenomV6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon	VenomV6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z	VenomV6.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

VenomV6.exeONENOTE.EXE

pid	process
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4512	VenomV6.exe
4252	ONENOTE.EXE
4252	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

Processes:

7348.tmp

pid	process
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp
2516	7348.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VenomV6.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeDebugPrivilege	4512	VenomV6.exe
Token: 36	4512	VenomV6.exe
Token: SeImpersonatePrivilege	4512	VenomV6.exe
Token: SeIncBasePriorityPrivilege	4512	VenomV6.exe
Token: SeIncreaseQuotaPrivilege	4512	VenomV6.exe
Token: 33	4512	VenomV6.exe
Token: SeManageVolumePrivilege	4512	VenomV6.exe
Token: SeProfSingleProcessPrivilege	4512	VenomV6.exe
Token: SeRestorePrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSystemProfilePrivilege	4512	VenomV6.exe
Token: SeTakeOwnershipPrivilege	4512	VenomV6.exe
Token: SeShutdownPrivilege	4512	VenomV6.exe
Token: SeDebugPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeBackupPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe
Token: SeSecurityPrivilege	4512	VenomV6.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE
4252	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

VenomV6.exeprintfilterpipelinesvc.exe7348.tmp

description	pid	process	target process
PID 4512 wrote to memory of 4248	4512	VenomV6.exe	splwow64.exe
PID 4512 wrote to memory of 4248	4512	VenomV6.exe	splwow64.exe
PID 3084 wrote to memory of 4252	3084	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3084 wrote to memory of 4252	3084	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 4512 wrote to memory of 2516	4512	VenomV6.exe	7348.tmp
PID 4512 wrote to memory of 2516	4512	VenomV6.exe	7348.tmp
PID 4512 wrote to memory of 2516	4512	VenomV6.exe	7348.tmp
PID 4512 wrote to memory of 2516	4512	VenomV6.exe	7348.tmp
PID 2516 wrote to memory of 4172	2516	7348.tmp	cmd.exe
PID 2516 wrote to memory of 4172	2516	7348.tmp	cmd.exe
PID 2516 wrote to memory of 4172	2516	7348.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Venom Software v6\VenomV6.exe
"C:\Users\Admin\AppData\Local\Temp\Venom Software v6\VenomV6.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:4248

C:\ProgramData\7348.tmp
"C:\ProgramData\7348.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7348.tmp >> NUL
3⤵
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:2700

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3084

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{0ECF4E2B-757D-48B3-B308-E0AB136CFF19}.xps" 133609593419490000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1739856679-3467441365-73334005-1000\DDDDDDDDDDD
Filesize
129B

MD5
f1422739baa8d059d6815cf39e467b51

SHA1
27bfcc662aafc45e60ff5164fdbbeda3a3bca7c0

SHA256
bcb63a1faf160407ee4d16edc9c1048fad284c7737072099a341f0983e27828f

SHA512
9a450f95cdb774ec65bbc345433d6b5fe4448235f6d798de201dbb3f80f499c182fa44ff0e621e9a2bb0ca48a72f6e0fce2aed20ef36b8214df20f10fe06f39b

Download Submit
C:\3R9qG8i3Z.README.txt
Filesize
953B

MD5
ee03c530816e1cba6e79a52bb29dbdcc

SHA1
ae60c28363fc60003d73f46e685018490e2db92d

SHA256
15f0fb419b64911554b55f6e57b0680e62b6c80925b92eb139a3217629f6d93c

SHA512
7369d65e61e7b5c19ce5df3df895373c16d481e48da551aa239bcd8c90645adde4be94634ce29c40926010fff7d0931fc88aeaafdf85d8e6624b803f2dd93f56

Download Submit
C:\ProgramData\7348.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Venom Software v6\EEEEEEEEEEE
Filesize
146KB

MD5
61bd11de650288362d735e444fe24c80

SHA1
d1d5ce193ab45ba733254a20842c769a1ce4cc49

SHA256
a91131638a9b49512e7c0eb41b5373ed48bb96c642ca30dcd72a4fd286bdbbae

SHA512
bace0a2dfbe8edb4fdfc7dab3e36c9b63399bbe757ad974b7a7a4c24604511e0072d0f7be4d6b12adcbdbc1336d0d15da1a3e281b3ee34a88b1dacc5698dcfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{84111197-27FD-4DBF-B1A6-51F16BEC613A}
Filesize
4KB

MD5
e591037783a916d034f3175c6e15c9c6

SHA1
c303862dc8cf4e0f06bdafa30d73e0f66a77796c

SHA256
974e4da043311a3460239dd2b1ed258949b6e9d9526d2a6bb6efd75be8deb07f

SHA512
6987b4ddb913771cca2c86a3c81b72d652a1abfd379196885093c07a95c39e1905164097c33e984f041d0f69ab2730abc7793b21f573b1528eb348ee1d911d1f

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
deeacc2da890ad371f133bc3f95d7850

SHA1
7ec3f6d6ee529df6b2983e9f2abcfa3ab4030366

SHA256
87ff3a5cfd5591013564105cfba25baa68090139190aa3a6e63ffb91fb1cadbe

SHA512
e9d69c0bf101387e547c455069d954eeefe4a87b808a2451997e87df8fdb3685609795b41dbc2ef35ea1203b9cb1e4ab6d50ccdf23cf690c051a160035f49a17

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1739856679-3467441365-73334005-1000\DDDDDDDDDDD
Filesize
129B

MD5
3ac72332a801de0b4b7ae5f8356174a9

SHA1
24121ee0eb44157e4041ebc444c7380f91cbd774

SHA256
e6c8dac55a3518bfd0fa9d222aefe61de0aaf29418c8cb5a44a338f8cf19ec55

SHA512
eadc8a5e6e47794e8f4a8872daba2cbdd265b79afed0e9d433975cb08ad545c29401d8a081ec0ccb3c27f6f71f855c552fb561bbf823a699ebcf1bab460c927a

Download Submit
memory/2700-2628-0x000001B827BB0000-0x000001B827BB1000-memory.dmp

Filesize
4KB

Download
memory/2700-2546-0x000001B822EF0000-0x000001B822EF1000-memory.dmp

Filesize
4KB

Download
memory/2700-2574-0x000001B827A50000-0x000001B827A51000-memory.dmp

Filesize
4KB

Download
memory/2700-2489-0x000001B822E60000-0x000001B822E70000-memory.dmp

Filesize
64KB

Download
memory/2700-2589-0x000001B827B90000-0x000001B827B91000-memory.dmp

Filesize
4KB

Download
memory/4252-2926-0x00007FFE73420000-0x00007FFE73430000-memory.dmp

Filesize
64KB

Download
memory/4252-2925-0x00007FFE73420000-0x00007FFE73430000-memory.dmp

Filesize
64KB

Download
memory/4252-2927-0x00007FFE73420000-0x00007FFE73430000-memory.dmp

Filesize
64KB

Download
memory/4252-2928-0x00007FFE73420000-0x00007FFE73430000-memory.dmp

Filesize
64KB

Download
memory/4252-2959-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmp

Filesize
64KB

Download
memory/4252-2960-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmp

Filesize
64KB

Download
memory/4512-2908-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4512-2909-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4512-2-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4512-0-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4512-1-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads