Overview
overview
10Static
static
10Venus Tool...ol.exe
windows7-x64
7Venus Tool...ol.exe
windows10-2004-x64
8Venus Tool...ge.png
windows7-x64
1Venus Tool...ge.png
windows10-2004-x64
3Venus Tool...g.json
windows7-x64
3Venus Tool...g.json
windows10-2004-x64
3Venus Tool/crack.dll
windows7-x64
9Venus Tool/crack.dll
windows10-2004-x64
9Resubmissions
21-06-2024 12:42
240621-pxhmhazeng 1021-06-2024 12:28
240621-pnlmsszbna 1021-06-2024 12:27
240621-pm82pszbld 10Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 12:28
Behavioral task
behavioral1
Sample
Venus Tool/Venus Tool.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Venus Tool/Venus Tool.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Venus Tool/assets/avatars/image.png
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Venus Tool/assets/avatars/image.png
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venus Tool/assets/config.json
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
Venus Tool/assets/config.json
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Venus Tool/crack.dll
Resource
win7-20240508-en
General
-
Target
Venus Tool/assets/config.json
-
Size
149B
-
MD5
ee9db446b33f463ca8f558873c6fff7e
-
SHA1
d40efe04626a430d9c9c1b8db90dbd1110d8e2f8
-
SHA256
09962830609b0d1d5b286ad3e178245cfc152caa278d660b5b0a3dc21559547e
-
SHA512
7babaeb3edf9a7fcb9da804c5c1c53ce8abfeb91f83774a60bd538ca3c0bb4afb29f0afeb4ebb00bb51575a8c8d7011900367b92643925a1e585f2e73fba86d8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\json_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.json rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\json_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2636 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2636 AcroRd32.exe 2636 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2952 wrote to memory of 2688 2952 cmd.exe rundll32.exe PID 2952 wrote to memory of 2688 2952 cmd.exe rundll32.exe PID 2952 wrote to memory of 2688 2952 cmd.exe rundll32.exe PID 2688 wrote to memory of 2636 2688 rundll32.exe AcroRd32.exe PID 2688 wrote to memory of 2636 2688 rundll32.exe AcroRd32.exe PID 2688 wrote to memory of 2636 2688 rundll32.exe AcroRd32.exe PID 2688 wrote to memory of 2636 2688 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Venus Tool\assets\config.json"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venus Tool\assets\config.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venus Tool\assets\config.json"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD57a12b92d7ecaa3d5be735acb1342e132
SHA1c81ec0ba8f186271e3a547e082b44e7a70751221
SHA256f20b72ef67c1d8108e08782c8c1899705df8c1327dcf224ca10a3b150c8b298c
SHA5124667cf741ec50069a9f373464450fc86d51151ef5374491114d895450cdd6849bc95a53bf07b01f1deeb4e6b05f8bff6266d289c0d5f8e3412b3a2ebacbcbd39