dotEXE1.exe

backendfu1m1
featuresanalog, overview
max_time_kernel266422
max_time_network266376
platformwindows10_x64
resourcewin10v20201028
submitted25-11-2020 13:36

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

dotEXE1.exe

Filesize

5MB

Completed

25-11-2020 13:42

Score

9 ^/10

MD5

d8e3e53d1eb7b3cc029ccd1b4af18aaa

SHA1

3e3057d6e140a8c7b29929b3982f3f27692635f6

SHA256

9811501a32c5d39dfccc30ada4c5538602a53b94d19ba0d6323c830f8234d27c

Defense Evasion

Discovery

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Executes dropped EXE
dotEXEPatcher.exedotEXE.exe

Reported IOCs

pid process

1556 dotEXEPatcher.exe
2760 dotEXE.exe

pid	process
1556	dotEXEPatcher.exe
2760	dotEXE.exe

Checks BIOS information in registry

dotEXEPatcher.exedotEXE.exe

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dotEXEPatcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dotEXEPatcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dotEXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dotEXE.exe

Loads dropped DLL
dotEXE.exe

Reported IOCs

pid process

2760 dotEXE.exe

Checks whether UAC is enabled

dotEXEPatcher.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dotEXEPatcher.exe

Suspicious use of NtSetInformationThreadHideFromDebugger
dotEXEPatcher.exe

Reported IOCs

pid process

1556 dotEXEPatcher.exe

pid	process
1556	dotEXEPatcher.exe

Modifies registry class

dotEXE1.exe

Reported IOCs

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	dotEXE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	dotEXE1.exe

Suspicious behavior: EnumeratesProcesses

dotEXE.exe

Reported IOCs

pid	process
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe

Suspicious use of SetWindowsHookEx
dotEXE1.exedotEXEPatcher.exedotEXE.exe

Reported IOCs

pid process

3980 dotEXE1.exe
3980 dotEXE1.exe
1556 dotEXEPatcher.exe
2760 dotEXE.exe

pid	process
3980	dotEXE1.exe
3980	dotEXE1.exe
1556	dotEXEPatcher.exe
2760	dotEXE.exe

Suspicious use of WriteProcessMemory

dotEXEPatcher.exe

Reported IOCs

description	pid	process	target process
PID 1556 wrote to memory of 2760	1556	dotEXEPatcher.exe	dotEXE.exe
PID 1556 wrote to memory of 2760	1556	dotEXEPatcher.exe	dotEXE.exe
PID 1556 wrote to memory of 2760	1556	dotEXEPatcher.exe	dotEXE.exe

C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe

"C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe"

Modifies registry class
Suspicious use of SetWindowsHookEx

PID:3980

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\javaw.jar"

PID:1552

C:\Users\Admin\Desktop\dotEXEPatcher.exe

"C:\Users\Admin\Desktop\dotEXEPatcher.exe" C:\Users\Admin\Desktop\dotEXE.exe

Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1556

C:\Users\Admin\Desktop\dotEXE.exe

"C:\Users\Admin\Desktop\dotEXE.exe"

Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:2760

Collection

Command and Control

Credential Access

Defense Evasion

Virtualization/Sandbox Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\Desktop\VenTaz.dll

MD5
51cc261f26d457fd9124e0fee73b1685

SHA1
1c18998b876a5a3bcf578bf060b7f9ad0b60a1be

SHA256
93cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70

SHA512
fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072

Download Submit
C:\Users\Admin\Desktop\dotEXE.exe

MD5
e86baf40ee8cca6731a956df1c4551df

SHA1
6227915aa0348b97e817432c55c486621b7aadd8

SHA256
0f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a

SHA512
7b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a

Download Submit
C:\Users\Admin\Desktop\dotEXE.exe

MD5
e86baf40ee8cca6731a956df1c4551df

SHA1
6227915aa0348b97e817432c55c486621b7aadd8

SHA256
0f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a

SHA512
7b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a

Download Submit
C:\Users\Admin\Desktop\dotEXEPatcher.exe

MD5
dce9450af517d871efddfa963473997e

SHA1
19ddcb014becd8ab04aed8e454b38cb895198fe3

SHA256
ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6

SHA512
11ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea

Download Submit
C:\Users\Admin\Desktop\dotEXEPatcher.exe

MD5
dce9450af517d871efddfa963473997e

SHA1
19ddcb014becd8ab04aed8e454b38cb895198fe3

SHA256
ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6

SHA512
11ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea

Download Submit
\Users\Admin\Desktop\VenTaz.dll

MD5
51cc261f26d457fd9124e0fee73b1685

SHA1
1c18998b876a5a3bcf578bf060b7f9ad0b60a1be

SHA256
93cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70

SHA512
fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072

Download Submit
memory/1556-3-0x00007FF701850000-0x00007FF701D83000-memory.dmp

Download
memory/1556-2-0x00007FF701850000-0x00007FF701D83000-memory.dmp

Download
memory/2760-4-0x0000000000000000-mapping.dmp

Download
memory/2760-9-0x00007FF7520B0000-0x00007FF75281C000-memory.dmp

Download
memory/2760-10-0x00007FF7520B0000-0x00007FF75281C000-memory.dmp

Download

dotEXE1.exe

Filter: none

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title