Overview
overview
10Static
static
10Venus Tool...ol.exe
windows7-x64
7Venus Tool...ol.exe
windows10-2004-x64
8Venus Tool...ge.png
windows7-x64
1Venus Tool...ge.png
windows10-2004-x64
3Venus Tool...g.json
windows7-x64
3Venus Tool...g.json
windows10-2004-x64
3Venus Tool/crack.dll
windows7-x64
9Venus Tool/crack.dll
windows10-2004-x64
9Resubmissions
21-06-2024 12:42
240621-pxhmhazeng 1021-06-2024 12:28
240621-pnlmsszbna 1021-06-2024 12:27
240621-pm82pszbld 10Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 12:28
Behavioral task
behavioral1
Sample
Venus Tool/Venus Tool.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Venus Tool/Venus Tool.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Venus Tool/assets/avatars/image.png
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Venus Tool/assets/avatars/image.png
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venus Tool/assets/config.json
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
Venus Tool/assets/config.json
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Venus Tool/crack.dll
Resource
win7-20240508-en
General
-
Target
Venus Tool/crack.dll
-
Size
5.0MB
-
MD5
b5b1b26e855eda6268b9a2008e0fce86
-
SHA1
d7925f7de5835e3564b187d8654bb9305ea945fb
-
SHA256
06dec4f9857f7b9a43157756606546d04a0f34c87681c7db9aab9125a43b33a7
-
SHA512
14ad2e93ed5876dd246ce6f32674e994b4f35a5acbb1ac46388bebc682a70ce4eca974fda102c273c71dae3c9bc7b69f965fd636cb2d5c579de9cd23e8b35799
-
SSDEEP
98304:j+YCYfXbb8DckgAEhxWiHF/5DoNZ2qkFVwz7583lfdmjLdGGf:jP8QDDRF/eNsqgiZ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1692 wrote to memory of 2224 1692 rundll32.exe WerFault.exe PID 1692 wrote to memory of 2224 1692 rundll32.exe WerFault.exe PID 1692 wrote to memory of 2224 1692 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Venus Tool\crack.dll",#11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1692 -s 1162⤵PID:2224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1692-0-0x0000000073670000-0x000000007404F000-memory.dmpFilesize
9.9MB
-
memory/1692-2-0x0000000073670000-0x000000007404F000-memory.dmpFilesize
9.9MB
-
memory/1692-5-0x0000000073670000-0x000000007404F000-memory.dmpFilesize
9.9MB
-
memory/1692-6-0x0000000073670000-0x000000007404F000-memory.dmpFilesize
9.9MB
-
memory/1692-4-0x0000000073670000-0x000000007404F000-memory.dmpFilesize
9.9MB
-
memory/1692-3-0x0000000073670000-0x000000007404F000-memory.dmpFilesize
9.9MB
-
memory/1692-1-0x0000000073670000-0x000000007404F000-memory.dmpFilesize
9.9MB
-
memory/1692-7-0x0000000073670000-0x000000007404F000-memory.dmpFilesize
9.9MB