Analysis
-
max time kernel
48s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2024, 04:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe
Resource
win7-20241023-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe
-
Size
513KB
-
MD5
58927a69657702c9ba253080a8055979
-
SHA1
beacef5ddb4a5f27d104b1ef41958bd4d5753375
-
SHA256
40786a54e15726f80eb14b1433834a0a34e7b220ea2f6790b1dcc20827083b80
-
SHA512
7e8fd932d2f8b710f3c7202e45dd826d0319963dda1cb3091a70a11db0ae7fade9f1f1e27ce9c5621badc54054fde175603de14533efc63bbec94c3d55359aed
-
SSDEEP
6144:0dKyZEYF+JAm3tdLVOE7O9l+ZMz9LB5V0QE6BkLrHlPIyZRAO4V50DEroE0Rjp13:0diYF+JAm3tdLVOigz9dXtVmLr71DL
Score
9/10
Malware Config
Signatures
-
Renames multiple (21035) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 44 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\ja-JP\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\en-US\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\en-US\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\fr-FR\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\it-IT\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\fr-FR\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\ja-JP\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\es-ES\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\es-ES\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\fr-FR\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\gm.dls 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\afunix.sys 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\de-DE\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\ja-JP\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\gmreadme.txt 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\it-IT\ndiscap.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\uk-UA\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\de-DE\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\de-DE\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\es-ES\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\drivers\it-IT\NdisImPlatform.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe -
Manipulates Digital Signatures 4 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\wintrust.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 12 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Media\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-Containers-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-VirtualizationBasedSecurity-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\de-DE\ntdll.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\sti.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\CompositeBus.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\en-US\wlandlg.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\mscpx32r.dLL 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\WMADMOE.DLL 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\downlevel\api-ms-win-crt-time-l1-1-0.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\mfc42.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Storage\StorageProvider.cdxml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\NmaDirect.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\mscat32.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\WMADMOE.DLL 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ialpssi_i2c.inf_amd64_8e00e1aed7fbdf70\iaLPSSi_I2C.sys 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\fr-FR\MSFT_EnvironmentResource.strings.psd1 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\de-DE\olecli32.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterRdma.cdxml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmUiDevices-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\fr-FR\StorageContextHandler.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\it\Microsoft.AppV.AppVClientPowerShell.resources.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI\pki.types.ps1xml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\NdisImPlatform.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\c_camera.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\winrm\0409\winrm.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\en-US\miutils.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\it-IT\appmgmts.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\wbem\it-IT\vds.mfl 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\MSFT_WindowsOptionalFeature.psm1 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_fffc54d66d592d52\bthenum.sys 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\errdev.inf_amd64_616c5168a5b1807a\errdev.inf 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_a192dbf28b4634a7\vmbuspipe.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\ja-JP\BWContextHandler.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\wbem\ppcRsopCompSchema.mof 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\KBDFO.DLL 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\LocationFrameworkPS.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\Dism\en-US\OfflineSetupProvider.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\en-US\ufxchipidea.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_usbdevice.inf_amd64_815550fc328ea85b\c_usbdevice.inf 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\ExecModelClient.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\msvcp140_atomic_wait.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-ClientUA-Client-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\iscsi.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tpmvsc.inf_amd64_9b03a5f041e8d2b2\tpmvsc.inf 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\f3ahvoas.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\Speech_OneCore\Common\it-IT\SpellingGrammar.0410.grxml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\findnetprinters.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\msctfp.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\pscript.sep 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\wbem\iscsiprf.mof 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Client-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingCommon-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\Dism\CbsProvider.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\dc21x4vm.sys 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\Fondue.exe 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SysWOW64\Dism\fr-FR\OfflineSetupProvider.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\APHostClient.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\en-US\nete1g3e.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\fr-FR\msxml3r.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\c_holographic.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\System32\fontext.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-200.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-100.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GlobalMock-A.Tests.ps1 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\v8_context_snapshot.bin 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_lo.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-125_contrast-white.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\LargeTile.scale-125.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-125.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ui-strings.js 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\3DViewerProductDescription-universal.xml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\MSFT_PackageManagementSource.strings.psd1 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ExploreModel.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-150.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-unplated_contrast-white.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1851_20x20x32.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-100.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\ui-strings.js 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ComponentModel.Annotations.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\resources.pri 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-256_contrast-black.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-125_contrast-white.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Opacity.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-200.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-white.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\Microsoft.UI.Xaml.winmd 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_radio_selected_18.svg 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr.pak 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-200.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-100.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-200.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\Microsoft.PowerShell.Gpowershell.resources.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-ConfigCI-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-MultiPoint-Connector-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Fonts.Taml~und-Taml~1.0.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3\f\atmlib.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_10.0.19041.1_en-us_55d5381dfc8d366f\OfflineFilesWmiProvider_Uninstall.mfl 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-robocopy.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_998c14c24d120743\Robocopy.exe.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\INF\SMSvcHost 4.0.0.0\0000\_SMSvcHostPerfCounters_d.ini 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.19041.264.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p...appxmain.resources_31bf3856ad364e35_10.0.19041.964_en-us_f337cf878e4da36d\resources.en-US.pri 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\default.aspx.ja.resx 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\PolicyDefinitions\es-ES\KDC.adml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-healthcenter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4791db0c8931450e\ActionCenter.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hello-face-migration_31bf3856ad364e35_10.0.19041.1202_none_9bdfa5795501df50\r\HelloFaceMigration.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\pdferrorofflineaccessdenied.html 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-vp9fs_31bf3856ad364e35_10.0.19041.153_none_dc5d06f37302e699\vp9fs.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\diagnostics\system\Audio\TS_SamplingRate.ps1 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\r\Microsoft.Uev.PrinterCustomActions.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..lient-wmiv2provider_31bf3856ad364e35_10.0.19041.1_none_57caa85d110ad829\dnsclientpsprovider_Uninstall.mof 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\nextResult.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mccs-accountsrt_31bf3856ad364e35_10.0.19041.746_none_0d92d989634979d8\AccountsRt.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_10.0.19041.1110_none_56683e3b6f9cb252\partmgr.sys 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\HyperV-VmBus-VirtualDevice-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-batmeter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ca9fdc92041a3143\batmeter.dll.mui 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..gshellapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_b4c98345579ad387\f\AppxManifest.xml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-camera-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_62d1773606f507fb\Camera.adml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\diagnostics\system\Printer\TS_PrinterTurnedOff.ps1 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Storage-VirtualDevice-PMEM-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..o-multi-dimensional_31bf3856ad364e35_10.0.19041.264_none_fc888bc204d36fa1\r\msadomd.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-component-opcom_31bf3856ad364e35_10.0.19041.1_none_59280f5751ee8923\OpcServices.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_3bcd0306a19592e2\Robocopy.exe 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.19041.1202_none_cd68049c9076546f\SFLISTWB.WOA.dat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NetFx-Shared-Typelibs~31bf3856ad364e35~amd64~~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.targetsize-48_altform-unplated.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-profsvc_31bf3856ad364e35_10.0.19041.1266_none_70772af2e7de61d2\f\profsvc.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.resources.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-charmap_31bf3856ad364e35_10.0.19041.1_none_a84acae243b8ad63\korean.uce 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.it.resx 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Prefetch\PfPre_e999a087.mkd 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-japanese-legacyapi_31bf3856ad364e35_10.0.19041.746_none_955d9baed0aa3546\Windows.Globalization.JapanesePhoneme.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\HyperV-UX-UI-63-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\images\i_foldin.png 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..eyboardfilterdriver_31bf3856ad364e35_10.0.19041.844_none_8ef1864943188138\r\kbldfltr.sys 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mdm-adm.resources_31bf3856ad364e35_10.0.19041.662_en-us_ed46a9fe02dfcefc\f\MDM.adml 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Management.Resources\2.0.0.0_de_b03f5f7f11d50a3a\System.Management.Resources.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Shell32-OEMDefaultAssociations-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_c_fsreplication.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c94cccce349a3631\c_fsreplication.inf_loc 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.906_none_c3423ff2a842a4c8\Amd64\PSCRIPT.NTF 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\activity-sync-consent.svg 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_20871f311cebb1df\f\RasMigPlugin.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\rescache\_merged\2899339121\3645577969.pri 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-UtilityVM-Containers-Shared-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_10.0.19041.264_none_7a40d01e6ba302b9\r\mf.dll 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\Speech\Engines\Lexicon\ja-JP\grph1041.lxa 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-enterprise-license_31bf3856ad364e35_10.0.19041.1266_none_b587b6bda28cdd81\Enterprise-Volume-CSVLK-3-pl-rtm.xrm-ms 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2180 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe Token: SeTcbPrivilege 2180 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe Token: SeTakeOwnershipPrivilege 2180 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe Token: SeSecurityPrivilege 2180 2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-21_58927a69657702c9ba253080a8055979_bitrat_cobalt-strike_venus-locker.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2180
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1