Summary

0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

File 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Summary
Download Resubmit sample Download yara

Size 225.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 eae3f9f84a8b6756db599963aa4f49d1
SHA1 c40909226c102ceb3cf97e9037c590f1623af013
SHA256 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028
SHA512
dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602
CRC32 3C235E5D
ssdeep None
Yara
  • screenshot - Take screenshot
  • spreading_share - Malware can spread east-west using share drive
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE April 8, 2025, 11:36 a.m. April 8, 2025, 11:44 a.m. 471 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-04-08 11:32:54,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpf7a_02
2025-04-08 11:32:54,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\rhDEperwJhZeDMKwYxSYiJaTn
2025-04-08 11:32:54,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\UrRgtPoRmXhheTeiu
2025-04-08 11:32:54,375 [analyzer] DEBUG: Started auxiliary module Curtain
2025-04-08 11:32:54,375 [analyzer] DEBUG: Started auxiliary module DbgView
2025-04-08 11:32:54,842 [analyzer] DEBUG: Started auxiliary module Disguise
2025-04-08 11:32:55,078 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-04-08 11:32:55,078 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-04-08 11:32:55,078 [analyzer] DEBUG: Started auxiliary module Human
2025-04-08 11:32:55,078 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-04-08 11:32:55,092 [analyzer] DEBUG: Started auxiliary module Reboot
2025-04-08 11:32:55,187 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-04-08 11:32:55,187 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-04-08 11:32:55,187 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-04-08 11:32:55,187 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-04-08 11:32:55,342 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe' with arguments '' and pid 2172
2025-04-08 11:32:55,562 [analyzer] DEBUG: Loaded monitor into process with pid 2172
2025-04-08 11:32:55,671 [analyzer] INFO: Added new file to list with pid 2172 and path C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
2025-04-08 11:32:57,203 [analyzer] INFO: Injected into process with pid 2116 and name ''
2025-04-08 11:32:57,312 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2116.
2025-04-08 11:32:57,375 [analyzer] INFO: Injected into process with pid 1076 and name u'cmd.exe'
2025-04-08 11:32:57,437 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2172.
2025-04-08 11:32:57,483 [analyzer] DEBUG: Loaded monitor into process with pid 2116
2025-04-08 10:41:01,111 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-04-08 10:41:01,111 [lib.api.process] WARNING: The process with pid 2172 is not alive, memory dump aborted
2025-04-08 10:41:01,331 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2116.
2025-04-08 10:41:01,486 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 1076.
2025-04-08 10:41:01,846 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-04-08 10:41:01,846 [lib.api.process] INFO: Successfully terminated process with pid 2116.
2025-04-08 10:41:01,846 [lib.api.process] INFO: Successfully terminated process with pid 1076.
2025-04-08 10:41:01,846 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-04-08 11:36:49,595 [cuckoo.core.scheduler] INFO: Task #6249995: acquired machine win7x6427 (label=win7x6427)
2025-04-08 11:36:49,598 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.227 for task #6249995
2025-04-08 11:36:49,936 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1991776 (interface=vboxnet0, host=192.168.168.227)
2025-04-08 11:36:50,460 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6427
2025-04-08 11:36:51,041 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6427 to vmcloak
2025-04-08 11:40:22,497 [cuckoo.core.guest] INFO: Starting analysis #6249995 on guest (id=win7x6427, ip=192.168.168.227)
2025-04-08 11:40:23,501 [cuckoo.core.guest] DEBUG: win7x6427: not ready yet
2025-04-08 11:40:28,523 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6427, ip=192.168.168.227)
2025-04-08 11:40:28,592 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6427, ip=192.168.168.227, monitor=latest, size=6660546)
2025-04-08 11:40:30,729 [cuckoo.core.resultserver] DEBUG: Task #6249995: live log analysis.log initialized.
2025-04-08 11:40:31,766 [cuckoo.core.resultserver] DEBUG: Task #6249995 is sending a BSON stream
2025-04-08 11:40:32,245 [cuckoo.core.resultserver] DEBUG: Task #6249995 is sending a BSON stream
2025-04-08 11:40:33,063 [cuckoo.core.resultserver] DEBUG: Task #6249995: File upload for 'shots/0001.jpg'
2025-04-08 11:40:33,083 [cuckoo.core.resultserver] DEBUG: Task #6249995 uploaded file length: 133482
2025-04-08 11:40:34,157 [cuckoo.core.resultserver] DEBUG: Task #6249995 is sending a BSON stream
2025-04-08 11:40:34,220 [cuckoo.core.resultserver] DEBUG: Task #6249995 is sending a BSON stream
2025-04-08 11:40:45,454 [cuckoo.core.guest] DEBUG: win7x6427: analysis #6249995 still processing
2025-04-08 11:41:00,986 [cuckoo.core.guest] DEBUG: win7x6427: analysis #6249995 still processing
2025-04-08 11:41:01,613 [cuckoo.core.resultserver] DEBUG: Task #6249995: File upload for 'curtain/1744101661.61.curtain.log'
2025-04-08 11:41:01,616 [cuckoo.core.resultserver] DEBUG: Task #6249995 uploaded file length: 36
2025-04-08 11:41:01,811 [cuckoo.core.resultserver] DEBUG: Task #6249995: File upload for 'sysmon/1744101661.8.sysmon.xml'
2025-04-08 11:41:01,841 [cuckoo.core.resultserver] DEBUG: Task #6249995 uploaded file length: 1730666
2025-04-08 11:41:01,853 [cuckoo.core.resultserver] DEBUG: Task #6249995: File upload for 'files/0a4e5832841ffff9_0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe'
2025-04-08 11:41:01,860 [cuckoo.core.resultserver] DEBUG: Task #6249995 uploaded file length: 230912
2025-04-08 11:41:01,875 [cuckoo.core.resultserver] DEBUG: Task #6249995 had connection reset for <Context for LOG>
2025-04-08 11:41:04,088 [cuckoo.core.guest] INFO: win7x6427: analysis completed successfully
2025-04-08 11:41:04,111 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-04-08 11:41:04,139 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-04-08 11:41:05,002 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6427 to path /srv/cuckoo/cwd/storage/analyses/6249995/memory.dmp
2025-04-08 11:41:05,003 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6427
2025-04-08 11:44:33,742 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.227 for task #6249995
2025-04-08 11:44:34,240 [cuckoo.core.scheduler] DEBUG: Released database task #6249995
2025-04-08 11:44:34,271 [cuckoo.core.scheduler] INFO: Task #6249995: analysis procedure completed

Signatures

Yara rules detected for file (5 events)
description Take screenshot rule screenshot
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect private profile rule win_files_operation
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)
section .flat
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 60088461
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 67031551
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 66781
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: E:\
total_number_of_clusters: 76799
1 1 0
Creates executable files on the filesystem (1 event)
file C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Creates hidden or system file (1 event)
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000000b8
filepath: C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Drops a binary and executes it (1 event)
file C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
A process created a hidden window (3 events)
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
parameters: g g g o n e123
filepath: C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 2492
thread_handle: 0x000002b8
process_identifier: 1076
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /c ping localhost -n 3 > nul & del C:\Users\Administrator\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000002b0
1 1 0

CreateProcessInternalW

 thread_identifier: 2452
thread_handle: 0x0000016c
process_identifier: 1268
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000170
1 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 events)
section {u'size_of_data': u'0x0000bc00', u'virtual_address': u'0x0001a000', u'entropy': 6.949859621356929, u'name': u'.rdata', u'virtual_size': u'0x0000ba6a'} entropy 6.94985962136 description A section with a high entropy has been found
entropy 0.209354120267 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
Uses Windows utilities for basic Windows functionality (2 events)
cmdline /c ping localhost -n 3 > nul & del C:\Users\Administrator\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
cmdline /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
Installs itself for autorun at Windows startup (1 event)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe reg_value C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)
Process injection Process 2172 resumed a thread in remote process 2116
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000364
suspend_count: 1
process_identifier: 2116
1 0 0
Uses Sysinternals tools in order to add additional command line functionality (1 event)
cmdline /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
File has been identified by 14 AntiVirus engine on IRMA as malicious (14 events)
G Data Antivirus (Windows) Virus: Trojan.Ransom.Venus.A (Engine A), Win32.Trojan-Ransom.VenusLocker.B (Engine B)
Avast Core Security (Linux) Win32:RansomX-gen [Ransom]
C4S ClamAV (Linux) Win.Ransomware.Bandook-9978067-1
Trend Micro SProtect (Linux) Ransom.Win32.VENUS.THIABBB
Trellix (Linux) GenericRXUD-MP
WithSecure (Linux) Trojan.TR/Crypt.XPACK.Gen
eScan Antivirus (Linux) Trojan.Ransom.Venus.A(DB)
ESET Security (Windows) a variant of Win32/Filecoder.Venus.E trojan
Sophos Anti-Virus (Linux) Mal/Generic-S
DrWeb Antivirus (Linux) Trojan.Encoder.33303
ClamAV (Linux) Win.Ransomware.Bandook-9978067-1
Bitdefender Antivirus (Linux) Trojan.Ransom.Venus.A
Kaspersky Standard (Windows) HEUR:Trojan-Ransom.Win32.Generic
Emsisoft Commandline Scanner (Windows) Trojan.Ransom.Venus.A (B)
File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 events)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Venus.j!c
tehtris Generic.Malware
Cynet Malicious (score: 100)
CAT-QuickHeal Ransom.Venus.S28803801
Skyhigh BehavesLike.Win32.Dropper.dc
ALYac Trojan.Ransom.Filecoder
Cylance Unsafe
VIPRE Trojan.Ransom.Venus.A
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Trojan.Ransom.Venus.A
K7GW Ransomware ( 005a59901 )
K7AntiVirus Ransomware ( 005a59901 )
Arcabit Trojan.Ransom.Venus.A
VirIT Trojan.Win32.GenusT.DYBR
Symantec Downloader
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Filecoder.Venus.E
APEX Malicious
Avast Win32:RansomX-gen [Ransom]
ClamAV Win.Ransomware.Bandook-9978067-1
Kaspersky HEUR:Trojan-Ransom.Win32.Generic
Alibaba Ransom:Win32/Venus.97c020e1
NANO-Antivirus Virus.Win32.Gen.ccmw
MicroWorld-eScan Trojan.Ransom.Venus.A
Rising Ransom.Venus!1.E132 (CLASSIC)
Emsisoft Trojan.Ransom.Venus.A (B)
F-Secure Trojan.TR/Crypt.XPACK.Gen
DrWeb Trojan.Encoder.33303
Zillya Trojan.Filecoder.Win32.26814
TrendMicro Ransom.Win32.VENUS.THIABBB
McAfeeD ti!0A4E5832841F
Trapmine malicious.high.ml.score
CTX exe.ransomware.venus
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.eae3f9f84a8b6756
Jiangmin Trojan.Generic.hmtxt
Webroot W32.Ransom.Venus
Google Detected
Avira TR/Crypt.XPACK.Gen
Antiy-AVL Trojan[Ransom]/Win32.Venus
Kingsoft Win32.Troj.Generic.jm
Gridinsoft Ransom.Win32.AI.oa!s2
Xcitium Malware@#aio56u0t6vdi
Microsoft Ransom:Win32/Venus.A!dha
ViRobot Trojan.Win.Z.Venus.230912.B
GData Win32.Trojan-Ransom.VenusLocker.B
Varist W32/Filecoder.DT.gen!Eldorado
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.