venus | d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb | Triage

Submit
Reports

Overview

overview

Static

static

d74758f7cd...eb.exe

windows7-x64

d74758f7cd...eb.exe

windows10-1703-x64

d74758f7cd...eb.exe

windows10-2004-x64

d74758f7cd...eb.exe

windows11-21h2-x64

Sharing

General

Target

d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb
Size

225KB
Sample

240615-nsffxaygpe
MD5

67b1a741e020284593a05bc4b1a3d218
SHA1

401e6815bbc62b092f96e93e9535f09d77aa4522
SHA256

d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb
SHA512

fc35cac1f925df0a516b4694658fc31a5fdb41ef8dee2a7d37d194e05ee06ec0f054494872f991ef90b46af7ee9ba0e2bd79a8c9109ca18d556f8b99be76067e
SSDEEP

6144:w4bJmXqQwAhojkJZkYiV50DEruMxgTw7ozFD254W:w4NeqQwAhZb9DOGcopfW

Score

10^/10

venus defense_evasion evasion execution impact persistence ransomware spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe

Resource

win7-20231129-en

venus defense_evasion evasion execution impact persistence ransomware spyware stealer

windows7-x64

26 signatures

150 seconds

Behavioral task

behavioral2

Sample

d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe

Resource

win10-20240611-en

venus defense_evasion evasion execution impact persistence ransomware spyware stealer

windows10-1703-x64

28 signatures

150 seconds

Behavioral task

behavioral3

Sample

d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe

Resource

win10v2004-20240611-en

venus defense_evasion evasion execution impact persistence ransomware spyware stealer

windows10-2004-x64

26 signatures

150 seconds

Behavioral task

behavioral4

Sample

d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe

Resource

win11-20240508-en

venus defense_evasion evasion execution impact persistence ransomware spyware stealer

windows11-21h2-x64

26 signatures

150 seconds

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\40420183721972539507.hta

Ransom Note

<<<Venus>>> We stole and encrypted your data, if you do not contact us within 48 hours we will sell your data on the dark net.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected]

Emails

email:[email protected]

Targets

- Target
  
  d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb
- Size
  
  225KB
- MD5
  
  67b1a741e020284593a05bc4b1a3d218
- SHA1
  
  401e6815bbc62b092f96e93e9535f09d77aa4522
- SHA256
  
  d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb
- SHA512
  
  fc35cac1f925df0a516b4694658fc31a5fdb41ef8dee2a7d37d194e05ee06ec0f054494872f991ef90b46af7ee9ba0e2bd79a8c9109ca18d556f8b99be76067e
- SSDEEP
  
  6144:w4bJmXqQwAhojkJZkYiV50DEruMxgTw7ozFD254W:w4NeqQwAhZb9DOGcopfW
Score

10^/10

venus defense_evasion evasion execution impact persistence ransomware spyware stealer
- Venus
  Venus is a ransomware first seen in 2022.
  ransomware venus
- Venus Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (8781) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

venusdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

behavioral2

venusdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

behavioral3

venusdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

behavioral4

venusdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy