Analysis
-
max time kernel
151s -
max time network
51s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:53
Static task
static1
Behavioral task
behavioral1
Sample
vmzeus_3.2.8.1.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
vmzeus_3.2.8.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
vmzeus_3.2.8.1.vir.exe
-
Size
265KB
-
MD5
0422542c1ff6ffbffeeef1737344b3da
-
SHA1
9594c25b3df6a2e417a8ffa693474284829aade0
-
SHA256
7b6d799270931ac8653e17960b95378a67c532cc4c9ea485e4f3430a58089f97
-
SHA512
de1d04bee6c2bacfb09da13732a10daa03a6003e060ff7ce8dd61ad809a96caa33d9bb96bd3b6b4bcb919385ba4764670af9edf58ede21f69643dc8a3d61b6ea
Score
8/10
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
vmzeus_3.2.8.1.vir.exectrlAdobe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE vmzeus_3.2.8.1.vir.exe Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE ctrlAdobe.exe -
Loads dropped DLL 1 IoCs
Processes:
vmzeus_3.2.8.1.vir.exepid process 1392 vmzeus_3.2.8.1.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
ctrlAdobe.exepid process 1468 ctrlAdobe.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ctrlAdobe.exepid process 1468 ctrlAdobe.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 372 cmd.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
ctrlAdobe.exepid process 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe 1468 ctrlAdobe.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ctrlAdobe.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run ctrlAdobe.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{DE164789-0BEC-273F-829A-EF6DDDFAFCEB} = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\ctrlAdobe.exe" ctrlAdobe.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vmzeus_3.2.8.1.vir.exectrlAdobe.exepid process 1392 vmzeus_3.2.8.1.vir.exe 1468 ctrlAdobe.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
vmzeus_3.2.8.1.vir.exectrlAdobe.exepid process 1392 vmzeus_3.2.8.1.vir.exe 1468 ctrlAdobe.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
vmzeus_3.2.8.1.vir.exedescription pid process target process PID 1392 wrote to memory of 1468 1392 vmzeus_3.2.8.1.vir.exe ctrlAdobe.exe PID 1392 wrote to memory of 1468 1392 vmzeus_3.2.8.1.vir.exe ctrlAdobe.exe PID 1392 wrote to memory of 1468 1392 vmzeus_3.2.8.1.vir.exe ctrlAdobe.exe PID 1392 wrote to memory of 1468 1392 vmzeus_3.2.8.1.vir.exe ctrlAdobe.exe PID 1392 wrote to memory of 372 1392 vmzeus_3.2.8.1.vir.exe cmd.exe PID 1392 wrote to memory of 372 1392 vmzeus_3.2.8.1.vir.exe cmd.exe PID 1392 wrote to memory of 372 1392 vmzeus_3.2.8.1.vir.exe cmd.exe PID 1392 wrote to memory of 372 1392 vmzeus_3.2.8.1.vir.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vmzeus_3.2.8.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\vmzeus_3.2.8.1.vir.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\ctrlAdobe.exe"C:\Users\Admin\AppData\Roaming\Adobe\ctrlAdobe.exe"2⤵
- Identifies Wine through registry keys
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp96d1c1ec.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp96d1c1ec.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\ctrlAdobe.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\ctrlAdobe.exe
-
\Users\Admin\AppData\Roaming\Adobe\ctrlAdobe.exe
-
memory/372-4-0x0000000000000000-mapping.dmp
-
memory/1468-1-0x0000000000000000-mapping.dmp