Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:18
Static task
static1
Behavioral task
behavioral1
Sample
vmzeus_3.3.2.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
vmzeus_3.3.2.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
vmzeus_3.3.2.0.vir.exe
-
Size
248KB
-
MD5
f1478eb97a80b4dc8113447d52764527
-
SHA1
ad9a1528b5dcf820f0790f8f2ffefa8839cd43a0
-
SHA256
fa5f5817b08add918117f89e06e53abea40fcda0ae3ae588622f9c1a73202cae
-
SHA512
fe94c73f9819a855f383bc7c5e77dd191405a34d04526c198bb22e328fe1c4fca7eda39c8631fffeec45fe677a6e3deea8a6841ad721b2c936930c0d89ac0914
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
MediaCenterProgramsCtrl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0F9BE75B-4E75-3470-341A-EC14A2BB6600} MediaCenterProgramsCtrl.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run MediaCenterProgramsCtrl.exe -
Loads dropped DLL 1 IoCs
Processes:
vmzeus_3.3.2.0.vir.exepid process 1612 vmzeus_3.3.2.0.vir.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
vmzeus_3.3.2.0.vir.exedescription pid process target process PID 1612 wrote to memory of 1076 1612 vmzeus_3.3.2.0.vir.exe MediaCenterProgramsCtrl.exe PID 1612 wrote to memory of 1076 1612 vmzeus_3.3.2.0.vir.exe MediaCenterProgramsCtrl.exe PID 1612 wrote to memory of 1076 1612 vmzeus_3.3.2.0.vir.exe MediaCenterProgramsCtrl.exe PID 1612 wrote to memory of 1076 1612 vmzeus_3.3.2.0.vir.exe MediaCenterProgramsCtrl.exe PID 1612 wrote to memory of 1316 1612 vmzeus_3.3.2.0.vir.exe cmd.exe PID 1612 wrote to memory of 1316 1612 vmzeus_3.3.2.0.vir.exe cmd.exe PID 1612 wrote to memory of 1316 1612 vmzeus_3.3.2.0.vir.exe cmd.exe PID 1612 wrote to memory of 1316 1612 vmzeus_3.3.2.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenterProgramsCtrl.exepid process 1076 MediaCenterProgramsCtrl.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
MediaCenterProgramsCtrl.exepid process 1076 MediaCenterProgramsCtrl.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1316 cmd.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
MediaCenterProgramsCtrl.exepid process 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe 1076 MediaCenterProgramsCtrl.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
MediaCenterProgramsCtrl.exevmzeus_3.3.2.0.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE MediaCenterProgramsCtrl.exe Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE vmzeus_3.3.2.0.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.2.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.2.0.vir.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Roaming\Media Center Programs\MediaCenterProgramsCtrl.exe"C:\Users\Admin\AppData\Roaming\Media Center Programs\MediaCenterProgramsCtrl.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe3bddc78.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpe3bddc78.bat
-
C:\Users\Admin\AppData\Roaming\Media Center Programs\MediaCenterProgramsCtrl.exe
-
C:\Users\Admin\AppData\Roaming\Media Center Programs\MediaCenterProgramsCtrl.exe
-
\Users\Admin\AppData\Roaming\Media Center Programs\MediaCenterProgramsCtrl.exe
-
memory/1076-1-0x0000000000000000-mapping.dmp
-
memory/1316-4-0x0000000000000000-mapping.dmp