9811501a32c5d39dfccc30ada4c5538602a53b94d19ba0d6323c830f8234d27c

General

Target

dotEXE1.exe
Size

5.3MB
MD5

d8e3e53d1eb7b3cc029ccd1b4af18aaa
SHA1

3e3057d6e140a8c7b29929b3982f3f27692635f6
SHA256

9811501a32c5d39dfccc30ada4c5538602a53b94d19ba0d6323c830f8234d27c
SHA512

5f55b1a3de85d5d298ce2fe8915b0bc9918f3f0f9758180028dd89ac0b3913a369530eb8e520cffb35eebb46db583325f65a4d070751b7fd4b8022e9b697e667

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

dotEXEPatcher.exedotEXE.exe

pid process

1556 dotEXEPatcher.exe
2760 dotEXE.exe

pid	process
1556	dotEXEPatcher.exe
2760	dotEXE.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dotEXEPatcher.exedotEXE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dotEXEPatcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dotEXEPatcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dotEXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dotEXE.exe

Loads dropped DLL 1 IoCs

Processes:

dotEXE.exe

pid process

2760 dotEXE.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

dotEXEPatcher.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dotEXEPatcher.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dotEXEPatcher.exe

pid process

1556 dotEXEPatcher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dotEXEPatcher.exe

pid	process
1556	dotEXEPatcher.exe

Modifies registry class 2 IoCs

Processes:

dotEXE1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	dotEXE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	dotEXE1.exe

Suspicious behavior: EnumeratesProcesses 70 IoCs

Processes:

dotEXE.exe

pid	process
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe
2760	dotEXE.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

dotEXE1.exedotEXEPatcher.exedotEXE.exe

pid process

3980 dotEXE1.exe
3980 dotEXE1.exe
1556 dotEXEPatcher.exe
2760 dotEXE.exe

pid	process
3980	dotEXE1.exe
3980	dotEXE1.exe
1556	dotEXEPatcher.exe
2760	dotEXE.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dotEXEPatcher.exe

description	pid	process	target process
PID 1556 wrote to memory of 2760	1556	dotEXEPatcher.exe	dotEXE.exe
PID 1556 wrote to memory of 2760	1556	dotEXEPatcher.exe	dotEXE.exe
PID 1556 wrote to memory of 2760	1556	dotEXEPatcher.exe	dotEXE.exe

C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe
"C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\javaw.jar"
1⤵
PID:1552

C:\Users\Admin\Desktop\dotEXEPatcher.exe
"C:\Users\Admin\Desktop\dotEXEPatcher.exe" C:\Users\Admin\Desktop\dotEXE.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\Desktop\dotEXE.exe
"C:\Users\Admin\Desktop\dotEXE.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\VenTaz.dll
MD5
51cc261f26d457fd9124e0fee73b1685

SHA1
1c18998b876a5a3bcf578bf060b7f9ad0b60a1be

SHA256
93cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70

SHA512
fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072

Download Submit
C:\Users\Admin\Desktop\dotEXE.exe
MD5
e86baf40ee8cca6731a956df1c4551df

SHA1
6227915aa0348b97e817432c55c486621b7aadd8

SHA256
0f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a

SHA512
7b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a

Download Submit
C:\Users\Admin\Desktop\dotEXE.exe
MD5
e86baf40ee8cca6731a956df1c4551df

SHA1
6227915aa0348b97e817432c55c486621b7aadd8

SHA256
0f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a

SHA512
7b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a

Download Submit
C:\Users\Admin\Desktop\dotEXEPatcher.exe
MD5
dce9450af517d871efddfa963473997e

SHA1
19ddcb014becd8ab04aed8e454b38cb895198fe3

SHA256
ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6

SHA512
11ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea

Download Submit
C:\Users\Admin\Desktop\dotEXEPatcher.exe
MD5
dce9450af517d871efddfa963473997e

SHA1
19ddcb014becd8ab04aed8e454b38cb895198fe3

SHA256
ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6

SHA512
11ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea

Download Submit
\Users\Admin\Desktop\VenTaz.dll
MD5
51cc261f26d457fd9124e0fee73b1685

SHA1
1c18998b876a5a3bcf578bf060b7f9ad0b60a1be

SHA256
93cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70

SHA512
fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072

Download Submit
memory/1556-2-0x00007FF701850000-0x00007FF701D83000-memory.dmp

Filesize
5.2MB

Download
memory/1556-3-0x00007FF701850000-0x00007FF701D83000-memory.dmp

Filesize
5.2MB

Download
memory/2760-4-0x0000000000000000-mapping.dmp

Download
memory/2760-9-0x00007FF7520B0000-0x00007FF75281C000-memory.dmp

Filesize
7.4MB

Download
memory/2760-10-0x00007FF7520B0000-0x00007FF75281C000-memory.dmp

Filesize
7.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads