05fe1601534d962e745acf8c0c577a2dbf87be8e62ea6672be043605d5906716

General

Target

vmzeus_3.3.1.0.vir.exe
Size

300KB
MD5

c780cfbc40a338933120ec9efd6d6a0a
SHA1

63025be073538fbe61af35e70ae22918bfc172e5
SHA256

05fe1601534d962e745acf8c0c577a2dbf87be8e62ea6672be043605d5906716
SHA512

c35f2cd5be20fa9f82e24cb852d0d10a63df4e5f4aad09456c5fe28b5f5bde432939b1b998201c8bbfbe36d40fe42da2a25517bdc4716eca782a3887d2ec7d4b

Score

8^/10

evasion persistence

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vmzeus_3.3.1.0.vir.exetrayMicrosoft.exe

pid process

2016 vmzeus_3.3.1.0.vir.exe
2792 trayMicrosoft.exe

pid	process
2016	vmzeus_3.3.1.0.vir.exe
2792	trayMicrosoft.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

vmzeus_3.3.1.0.vir.exevmzeus_3.3.1.0.vir.exetrayMicrosoft.exe

description	pid	process	target process
PID 2016 wrote to memory of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2016 wrote to memory of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2016 wrote to memory of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2016 wrote to memory of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2016 wrote to memory of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2016 wrote to memory of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2016 wrote to memory of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2016 wrote to memory of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2152 wrote to memory of 2792	2152	vmzeus_3.3.1.0.vir.exe	trayMicrosoft.exe
PID 2152 wrote to memory of 2792	2152	vmzeus_3.3.1.0.vir.exe	trayMicrosoft.exe
PID 2152 wrote to memory of 2792	2152	vmzeus_3.3.1.0.vir.exe	trayMicrosoft.exe
PID 2792 wrote to memory of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe
PID 2792 wrote to memory of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe
PID 2792 wrote to memory of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe
PID 2792 wrote to memory of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe
PID 2792 wrote to memory of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe
PID 2792 wrote to memory of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe
PID 2792 wrote to memory of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe
PID 2792 wrote to memory of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe
PID 2152 wrote to memory of 2556	2152	vmzeus_3.3.1.0.vir.exe	cmd.exe
PID 2152 wrote to memory of 2556	2152	vmzeus_3.3.1.0.vir.exe	cmd.exe
PID 2152 wrote to memory of 2556	2152	vmzeus_3.3.1.0.vir.exe	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vmzeus_3.3.1.0.vir.exetrayMicrosoft.exe

description	pid	process	target process
PID 2016 set thread context of 2152	2016	vmzeus_3.3.1.0.vir.exe	vmzeus_3.3.1.0.vir.exe
PID 2792 set thread context of 3940	2792	trayMicrosoft.exe	trayMicrosoft.exe

Executes dropped EXE 2 IoCs

Processes:

trayMicrosoft.exetrayMicrosoft.exe

pid process

2792 trayMicrosoft.exe
3940 trayMicrosoft.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

trayMicrosoft.exe

pid process

3940 trayMicrosoft.exe

pid	process
2792	trayMicrosoft.exe
3940	trayMicrosoft.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

trayMicrosoft.exe

pid	process
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe
3940	trayMicrosoft.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

vmzeus_3.3.1.0.vir.exetrayMicrosoft.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE	vmzeus_3.3.1.0.vir.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE	trayMicrosoft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

trayMicrosoft.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run	trayMicrosoft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D3D2488E-FDB6-81E0-9838-3AE5F8187D7D} = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\trayMicrosoft.exe"	trayMicrosoft.exe

C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.1.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.1.0.vir.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2016

C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.1.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.1.0.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
PID:2152

C:\Users\Admin\AppData\Roaming\Microsoft\trayMicrosoft.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\trayMicrosoft.exe"
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:2792

C:\Users\Admin\AppData\Roaming\Microsoft\trayMicrosoft.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\trayMicrosoft.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
- Adds Run key to start application
PID:3940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8a375e96.bat"
3⤵
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8a375e96.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\trayMicrosoft.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\trayMicrosoft.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\trayMicrosoft.exe

Download Submit
memory/2016-2-0x000000000056A000-0x000000000056B000-memory.dmp

Filesize
4KB

Download
memory/2152-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-4-0x00000000004116D7-mapping.dmp

Download
memory/2152-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-15-0x0000000000000000-mapping.dmp

Download
memory/2792-6-0x0000000000000000-mapping.dmp

Download
memory/2792-11-0x000000000058A000-0x000000000058B000-memory.dmp

Filesize
4KB

Download
memory/3940-13-0x00000000004116D7-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads