dotEXE1.exe

General
Target

dotEXE1.exe

Filesize

5MB

Completed

25-11-2020 13:42

Score
9 /10
MD5

d8e3e53d1eb7b3cc029ccd1b4af18aaa

SHA1

3e3057d6e140a8c7b29929b3982f3f27692635f6

SHA256

9811501a32c5d39dfccc30ada4c5538602a53b94d19ba0d6323c830f8234d27c

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    dotEXEPatcher.exedotEXE.exe

    Reported IOCs

    pidprocess
    1556dotEXEPatcher.exe
    2760dotEXE.exe
  • Checks BIOS information in registry
    dotEXEPatcher.exedotEXE.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersiondotEXEPatcher.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersiondotEXEPatcher.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersiondotEXE.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersiondotEXE.exe
  • Loads dropped DLL
    dotEXE.exe

    Reported IOCs

    pidprocess
    2760dotEXE.exe
  • Checks whether UAC is enabled
    dotEXEPatcher.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAdotEXEPatcher.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    dotEXEPatcher.exe

    Reported IOCs

    pidprocess
    1556dotEXEPatcher.exe
  • Modifies registry class
    dotEXE1.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InstancedotEXE1.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstancedotEXE1.exe
  • Suspicious behavior: EnumeratesProcesses
    dotEXE.exe

    Reported IOCs

    pidprocess
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
    2760dotEXE.exe
  • Suspicious use of SetWindowsHookEx
    dotEXE1.exedotEXEPatcher.exedotEXE.exe

    Reported IOCs

    pidprocess
    3980dotEXE1.exe
    3980dotEXE1.exe
    1556dotEXEPatcher.exe
    2760dotEXE.exe
  • Suspicious use of WriteProcessMemory
    dotEXEPatcher.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1556 wrote to memory of 27601556dotEXEPatcher.exedotEXE.exe
    PID 1556 wrote to memory of 27601556dotEXEPatcher.exedotEXE.exe
    PID 1556 wrote to memory of 27601556dotEXEPatcher.exedotEXE.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe
    "C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe"
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:3980
  • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\javaw.jar"
    PID:1552
  • C:\Users\Admin\Desktop\dotEXEPatcher.exe
    "C:\Users\Admin\Desktop\dotEXEPatcher.exe" C:\Users\Admin\Desktop\dotEXE.exe
    Executes dropped EXE
    Checks BIOS information in registry
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\Desktop\dotEXE.exe
      "C:\Users\Admin\Desktop\dotEXE.exe"
      Executes dropped EXE
      Checks BIOS information in registry
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2760
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\Desktop\VenTaz.dll

                        MD5

                        51cc261f26d457fd9124e0fee73b1685

                        SHA1

                        1c18998b876a5a3bcf578bf060b7f9ad0b60a1be

                        SHA256

                        93cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70

                        SHA512

                        fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072

                      • C:\Users\Admin\Desktop\dotEXE.exe

                        MD5

                        e86baf40ee8cca6731a956df1c4551df

                        SHA1

                        6227915aa0348b97e817432c55c486621b7aadd8

                        SHA256

                        0f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a

                        SHA512

                        7b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a

                      • C:\Users\Admin\Desktop\dotEXE.exe

                        MD5

                        e86baf40ee8cca6731a956df1c4551df

                        SHA1

                        6227915aa0348b97e817432c55c486621b7aadd8

                        SHA256

                        0f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a

                        SHA512

                        7b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a

                      • C:\Users\Admin\Desktop\dotEXEPatcher.exe

                        MD5

                        dce9450af517d871efddfa963473997e

                        SHA1

                        19ddcb014becd8ab04aed8e454b38cb895198fe3

                        SHA256

                        ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6

                        SHA512

                        11ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea

                      • C:\Users\Admin\Desktop\dotEXEPatcher.exe

                        MD5

                        dce9450af517d871efddfa963473997e

                        SHA1

                        19ddcb014becd8ab04aed8e454b38cb895198fe3

                        SHA256

                        ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6

                        SHA512

                        11ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea

                      • \Users\Admin\Desktop\VenTaz.dll

                        MD5

                        51cc261f26d457fd9124e0fee73b1685

                        SHA1

                        1c18998b876a5a3bcf578bf060b7f9ad0b60a1be

                        SHA256

                        93cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70

                        SHA512

                        fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072

                      • memory/1556-3-0x00007FF701850000-0x00007FF701D83000-memory.dmp

                      • memory/1556-2-0x00007FF701850000-0x00007FF701D83000-memory.dmp

                      • memory/2760-4-0x0000000000000000-mapping.dmp

                      • memory/2760-9-0x00007FF7520B0000-0x00007FF75281C000-memory.dmp

                      • memory/2760-10-0x00007FF7520B0000-0x00007FF75281C000-memory.dmp