Analysis

  • max time kernel
    107s
  • max time network
    109s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-11-2020 13:39

Errors

Reason
Machine shutdown

General

  • Target

    dotEXE1.exe

  • Size

    7.6MB

  • MD5

    577594e40e94b665829e6e23c7fc8203

  • SHA1

    0085845381c7d3f6bdb07a8281fdb7302f733577

  • SHA256

    417ad511cc354f6391cc90451d8925ae8df9a0cb5808fa9bac0c2e91d3a243af

  • SHA512

    5c7c4c646f87dee1d16cd5839b1e439d3d0d9c7e1c1808c480c113fa8b169ec7468b06341cfdfba9b08dfd836427514e41eb3410599d0f94a27ad29f3fa82c07

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Executes dropped EXE 3 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 74 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe
    "C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4704
  • C:\Users\Admin\Desktop\s.exe
    "C:\Users\Admin\Desktop\s.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xmx256m -Dfile.encoding=UTF-8 -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false -jar "C:\Users\Admin\Desktop\s.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -XX:+DisableAttachMechanism -Xmx256M -jar C:\Users\Admin\Desktop\s.exe
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\Windows\SYSTEM32\tasklist.exe
          tasklist /V /FI "STATUS eq RUNNING" /FO CSV /NH
          4⤵
          • Enumerates processes with tasklist
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1184
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\.prostocraft\Updater.jar -copyPendingUpdate C:\Users\Admin\Desktop\s.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
            "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xmx256M -jar C:\Users\Admin\Desktop\s.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:188
            • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
              "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -XX:+DisableAttachMechanism -Xmx256M -jar C:\Users\Admin\Desktop\s.exe
              6⤵
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3976
              • C:\Windows\SYSTEM32\tasklist.exe
                tasklist /V /FI "STATUS eq RUNNING" /FO CSV /NH
                7⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4880
  • C:\Users\Admin\Desktop\dotEXEPatcher.exe
    "C:\Users\Admin\Desktop\dotEXEPatcher.exe" C:\Users\Admin\Desktop\dotEXE.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Users\Admin\Desktop\dotEXE.exe
      "C:\Users\Admin\Desktop\dotEXE.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4644
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
    1⤵
    • Modifies WinLogon to allow AutoLogon
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Process Discovery

1
T1057

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
    MD5

    2ad6b967c75850561bd9d832c04eff61

    SHA1

    a6417c91b92f2bf1af81b02957609c08336c766d

    SHA256

    3c9cd41072a03bd80b4e53306cf11558ad31a6bf485893daa6088f1b040eec8c

    SHA512

    fa4ffec980e4321ee48fe40b54422ee2631a6cb6a11f31715b7c2b3c574ae2f891cda4309507b56004ed735f766134af953cf4e8ca3bcc07e00f73324d545ca6

  • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
    MD5

    966fbc3e25c2998689c29691475176f3

    SHA1

    52bd03c8c08f35bc3d7a85500f1c7f1e752e520c

    SHA256

    d7d6f9c3fbc43c471c06547b793f35d3ef9d14008295967ff80c6ed9cb564ab8

    SHA512

    c228c2cd7692620752af522d07a83a5c607fe8d788da11276af38e98183d087346e4647ed8b335050cdd6c1119eb40ecd29a8d1db8b66738de60bf40c63aee4a

  • C:\Users\Admin\.prostocraft\Updater.jar
    MD5

    85bf36ab663244b4a78a728a511873ce

    SHA1

    620b09bf71be00c14fe15f87e736fd0e77366b7d

    SHA256

    da31668a58f996527a9617a670e41e2cedc441817bef94c7147d43af84d3d411

    SHA512

    2949521445d3b1a3578e283803e731e6fb99d266366621a058d0d82ab20cf090c91a35cb79b1fb82ce38f412d0d8c3d83b723c3e54fc8719d5a1c0ee356929ff

  • C:\Users\Admin\.prostocraft\logs\latest.log
    MD5

    e9f20eca6f2cc31f979c308bf6aa75f4

    SHA1

    46a688435f35818fd34c61d8fff1367decb58913

    SHA256

    23b100a9d410942a46a3430db49bcb3073629e0be634c68370cf9c41a5dfc835

    SHA512

    d04034fa182ef7401208fb5094f45b986e128ee5cfe3864e890555289d1b781640e042fc3ddcfc62d95be817873e56f0d832cd6085a0f5eb4f0f511d1590dfd7

  • C:\Users\Admin\.prostocraft\pending-update.exe
    MD5

    9db2bca7577252622a841d2a1add925f

    SHA1

    3ecef99f64ec69d753dd6daf3b79b936424b6686

    SHA256

    7fd9d4c68d8d09d1e70b3b853e59c6ba15ab962e1528f9346e737fe607f5b614

    SHA512

    10a8cca310485142254d71a2cb572cc909253dc22c5e24d06e97cd2c36bb1548622900d618fc1fc8f89b40ad4b410b3195e34e7d053f1f4cf1027c285139b207

  • C:\Users\Admin\.prostocraft\settings.json
    MD5

    31ecfb5b14bbc0207ec94af00425f5fc

    SHA1

    6ea181577179f3e95ac5b9e2ef5da9d4903f94f7

    SHA256

    c821800d70c0c28d248de1fe3e36cea3b36aef98f178cd7ed5cc68ad7af28214

    SHA512

    5d6797b933d620ca1596b5f8c612e9ca682738bfd2f4ff9c7dccd7d95c0d52913eda1f9bcf0a7ba8b49c10fbbc60f019d905f4195a30450c65333b98665ca7fd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\83aa4cc77f591dfc2374580bbd95f6ba_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
    MD5

    c8366ae350e7019aefc9d1e6e6a498c6

    SHA1

    5731d8a3e6568a5f2dfbbc87e3db9637df280b61

    SHA256

    11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

    SHA512

    33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

  • C:\Users\Admin\Desktop\VenTaz.dll
    MD5

    51cc261f26d457fd9124e0fee73b1685

    SHA1

    1c18998b876a5a3bcf578bf060b7f9ad0b60a1be

    SHA256

    93cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70

    SHA512

    fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072

  • C:\Users\Admin\Desktop\dotEXE.exe
    MD5

    e86baf40ee8cca6731a956df1c4551df

    SHA1

    6227915aa0348b97e817432c55c486621b7aadd8

    SHA256

    0f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a

    SHA512

    7b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a

  • C:\Users\Admin\Desktop\dotEXE.exe
    MD5

    e86baf40ee8cca6731a956df1c4551df

    SHA1

    6227915aa0348b97e817432c55c486621b7aadd8

    SHA256

    0f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a

    SHA512

    7b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a

  • C:\Users\Admin\Desktop\dotEXEPatcher.exe
    MD5

    dce9450af517d871efddfa963473997e

    SHA1

    19ddcb014becd8ab04aed8e454b38cb895198fe3

    SHA256

    ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6

    SHA512

    11ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea

  • C:\Users\Admin\Desktop\dotEXEPatcher.exe
    MD5

    dce9450af517d871efddfa963473997e

    SHA1

    19ddcb014becd8ab04aed8e454b38cb895198fe3

    SHA256

    ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6

    SHA512

    11ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea

  • C:\Users\Admin\Desktop\s.exe
    MD5

    575033a2ec1fc9de82fecde5f0e6f151

    SHA1

    00914dbe00302d3a0e5ac674256fb4c3412af88e

    SHA256

    61e4956804acbc4505ac4483edeffd242f5835b34e7c6538ff4cca2a349e85fb

    SHA512

    f05f8399b3b3f1e276d2ba00ccc7b074df5910f0dc27ccdb3f730838b709ec434e29078db0b3f94152fa8f6ee98d2f9b09d86a0429c5de5d65d0c2f5d099c856

  • C:\Users\Admin\Desktop\s.exe
    MD5

    575033a2ec1fc9de82fecde5f0e6f151

    SHA1

    00914dbe00302d3a0e5ac674256fb4c3412af88e

    SHA256

    61e4956804acbc4505ac4483edeffd242f5835b34e7c6538ff4cca2a349e85fb

    SHA512

    f05f8399b3b3f1e276d2ba00ccc7b074df5910f0dc27ccdb3f730838b709ec434e29078db0b3f94152fa8f6ee98d2f9b09d86a0429c5de5d65d0c2f5d099c856

  • C:\Users\Admin\Desktop\s.exe
    MD5

    9db2bca7577252622a841d2a1add925f

    SHA1

    3ecef99f64ec69d753dd6daf3b79b936424b6686

    SHA256

    7fd9d4c68d8d09d1e70b3b853e59c6ba15ab962e1528f9346e737fe607f5b614

    SHA512

    10a8cca310485142254d71a2cb572cc909253dc22c5e24d06e97cd2c36bb1548622900d618fc1fc8f89b40ad4b410b3195e34e7d053f1f4cf1027c285139b207

  • \Users\Admin\Desktop\VenTaz.dll
    MD5

    51cc261f26d457fd9124e0fee73b1685

    SHA1

    1c18998b876a5a3bcf578bf060b7f9ad0b60a1be

    SHA256

    93cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70

    SHA512

    fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072

  • memory/188-70-0x0000000000000000-mapping.dmp
  • memory/1184-34-0x0000000000000000-mapping.dmp
  • memory/2540-65-0x0000000000000000-mapping.dmp
  • memory/2908-77-0x00007FF701D30000-0x00007FF702263000-memory.dmp
    Filesize

    5.2MB

  • memory/2908-76-0x00007FF701D30000-0x00007FF702263000-memory.dmp
    Filesize

    5.2MB

  • memory/3052-3-0x0000000000000000-mapping.dmp
  • memory/3976-92-0x0000000000000000-mapping.dmp
  • memory/4504-14-0x0000000000000000-mapping.dmp
  • memory/4644-83-0x0000000000000000-mapping.dmp
  • memory/4644-91-0x00007FF79D1C0000-0x00007FF79D92C000-memory.dmp
    Filesize

    7.4MB

  • memory/4644-94-0x00007FF79D1C0000-0x00007FF79D92C000-memory.dmp
    Filesize

    7.4MB

  • memory/4880-115-0x0000000000000000-mapping.dmp