Analysis
-
max time kernel
35s -
max time network
36s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 13:36
Static task
static1
Behavioral task
behavioral1
Sample
dotEXE1.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
dotEXE1.exe
Resource
win10v20201028
General
-
Target
dotEXE1.exe
-
Size
5.3MB
-
MD5
d8e3e53d1eb7b3cc029ccd1b4af18aaa
-
SHA1
3e3057d6e140a8c7b29929b3982f3f27692635f6
-
SHA256
9811501a32c5d39dfccc30ada4c5538602a53b94d19ba0d6323c830f8234d27c
-
SHA512
5f55b1a3de85d5d298ce2fe8915b0bc9918f3f0f9758180028dd89ac0b3913a369530eb8e520cffb35eebb46db583325f65a4d070751b7fd4b8022e9b697e667
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
dotEXEPatcher.exedotEXE.exepid process 1888 dotEXEPatcher.exe 2132 dotEXE.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dotEXEPatcher.exedotEXE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dotEXEPatcher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dotEXE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dotEXE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dotEXEPatcher.exe -
Loads dropped DLL 1 IoCs
Processes:
dotEXE.exepid process 2132 dotEXE.exe -
Processes:
dotEXEPatcher.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dotEXEPatcher.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dotEXEPatcher.exepid process 1888 dotEXEPatcher.exe -
Modifies registry class 2 IoCs
Processes:
dotEXE1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance dotEXE1.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance dotEXE1.exe -
Suspicious behavior: EnumeratesProcesses 70 IoCs
Processes:
dotEXE.exepid process 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe 2132 dotEXE.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
dotEXE1.exedotEXEPatcher.exedotEXE.exepid process 3408 dotEXE1.exe 3408 dotEXE1.exe 1888 dotEXEPatcher.exe 2132 dotEXE.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
dotEXEPatcher.exedescription pid process target process PID 1888 wrote to memory of 2132 1888 dotEXEPatcher.exe dotEXE.exe PID 1888 wrote to memory of 2132 1888 dotEXEPatcher.exe dotEXE.exe PID 1888 wrote to memory of 2132 1888 dotEXEPatcher.exe dotEXE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe"C:\Users\Admin\AppData\Local\Temp\dotEXE1.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\dotEXEPatcher.exe"C:\Users\Admin\Desktop\dotEXEPatcher.exe" C:\Users\Admin\Desktop\dotEXE.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\dotEXE.exe"C:\Users\Admin\Desktop\dotEXE.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\VenTaz.dllMD5
51cc261f26d457fd9124e0fee73b1685
SHA11c18998b876a5a3bcf578bf060b7f9ad0b60a1be
SHA25693cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70
SHA512fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072
-
C:\Users\Admin\Desktop\dotEXE.exeMD5
e86baf40ee8cca6731a956df1c4551df
SHA16227915aa0348b97e817432c55c486621b7aadd8
SHA2560f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a
SHA5127b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a
-
C:\Users\Admin\Desktop\dotEXE.exeMD5
e86baf40ee8cca6731a956df1c4551df
SHA16227915aa0348b97e817432c55c486621b7aadd8
SHA2560f1859a87cae5d3062a4b1b7c0785b9b1868c99188a6ad2cba32255f1573e54a
SHA5127b63d40063b591fdf6ba0bad459e242fe191c8216026dfef5088c2463cdabfed1021d4f69ae2306a0add654877eb4ed7c71f8a7f3add044ec50ace5acf8d9d5a
-
C:\Users\Admin\Desktop\dotEXEPatcher.exeMD5
dce9450af517d871efddfa963473997e
SHA119ddcb014becd8ab04aed8e454b38cb895198fe3
SHA256ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6
SHA51211ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea
-
C:\Users\Admin\Desktop\dotEXEPatcher.exeMD5
dce9450af517d871efddfa963473997e
SHA119ddcb014becd8ab04aed8e454b38cb895198fe3
SHA256ea106eb2cf2861a5008830b95d4ca4051540c1c04bd0fdb1ff9853ef643528c6
SHA51211ba5f9edad86a8a289ee2f8deb532b03eaa55d83617c8286db300b415392d62754c5e0d6e1934fde513ec576b82d7df8b28d12e46118ec82720ebccd03c2eea
-
\Users\Admin\Desktop\VenTaz.dllMD5
51cc261f26d457fd9124e0fee73b1685
SHA11c18998b876a5a3bcf578bf060b7f9ad0b60a1be
SHA25693cde449786de5bc1635979ad01b2bda46ff7898de97b233c067d1609bf92b70
SHA512fb77eb3e0158abf00fdf2c4a6ce796d2bafa3cb1ef7ed5d0e78451e18e6e288919f35ba0cf2cfb8843c41aec149519812aa2f3a6c57cfa2f501c76e020e4e072
-
memory/1888-3-0x00007FF68A9C0000-0x00007FF68AEF3000-memory.dmpFilesize
5.2MB
-
memory/1888-4-0x00007FF68A9C0000-0x00007FF68AEF3000-memory.dmpFilesize
5.2MB
-
memory/2132-5-0x0000000000000000-mapping.dmp
-
memory/2132-10-0x00007FF6D6940000-0x00007FF6D70AC000-memory.dmpFilesize
7.4MB
-
memory/2132-11-0x00007FF6D6940000-0x00007FF6D70AC000-memory.dmpFilesize
7.4MB