Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:18
Static task
static1
Behavioral task
behavioral1
Sample
vmzeus_3.3.2.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
vmzeus_3.3.2.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
vmzeus_3.3.2.0.vir.exe
-
Size
248KB
-
MD5
f1478eb97a80b4dc8113447d52764527
-
SHA1
ad9a1528b5dcf820f0790f8f2ffefa8839cd43a0
-
SHA256
fa5f5817b08add918117f89e06e53abea40fcda0ae3ae588622f9c1a73202cae
-
SHA512
fe94c73f9819a855f383bc7c5e77dd191405a34d04526c198bb22e328fe1c4fca7eda39c8631fffeec45fe677a6e3deea8a6841ad721b2c936930c0d89ac0914
Score
8/10
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ctrlMicrosoft.exepid process 3896 ctrlMicrosoft.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
vmzeus_3.3.2.0.vir.exectrlMicrosoft.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE vmzeus_3.3.2.0.vir.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE ctrlMicrosoft.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ctrlMicrosoft.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run ctrlMicrosoft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\{084A38E2-BCE0-66B6-CD4F-4C17F2B4ED67} = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ctrlMicrosoft.exe" ctrlMicrosoft.exe -
Program crash 20 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3880 3080 WerFault.exe vmzeus_3.3.2.0.vir.exe 3820 3080 WerFault.exe vmzeus_3.3.2.0.vir.exe 3792 3896 WerFault.exe ctrlMicrosoft.exe 3188 3896 WerFault.exe ctrlMicrosoft.exe 2456 3080 WerFault.exe vmzeus_3.3.2.0.vir.exe 2228 3896 WerFault.exe ctrlMicrosoft.exe 2068 3080 WerFault.exe vmzeus_3.3.2.0.vir.exe 3788 3896 WerFault.exe ctrlMicrosoft.exe 3736 3896 WerFault.exe ctrlMicrosoft.exe 3728 3896 WerFault.exe ctrlMicrosoft.exe 496 3896 WerFault.exe ctrlMicrosoft.exe 640 3896 WerFault.exe ctrlMicrosoft.exe 844 3896 WerFault.exe ctrlMicrosoft.exe 1020 3896 WerFault.exe ctrlMicrosoft.exe 608 3896 WerFault.exe ctrlMicrosoft.exe 1152 3896 WerFault.exe ctrlMicrosoft.exe 1308 3896 WerFault.exe ctrlMicrosoft.exe 1456 3896 WerFault.exe ctrlMicrosoft.exe 1520 3896 WerFault.exe ctrlMicrosoft.exe 3880 3896 WerFault.exe ctrlMicrosoft.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3880 WerFault.exe Token: SeBackupPrivilege 3880 WerFault.exe Token: SeDebugPrivilege 3880 WerFault.exe Token: SeDebugPrivilege 3820 WerFault.exe Token: SeDebugPrivilege 3792 WerFault.exe Token: SeDebugPrivilege 3188 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exectrlMicrosoft.exepid process 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3188 WerFault.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe 3896 ctrlMicrosoft.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
vmzeus_3.3.2.0.vir.exedescription pid process target process PID 3080 wrote to memory of 3896 3080 vmzeus_3.3.2.0.vir.exe ctrlMicrosoft.exe PID 3080 wrote to memory of 3896 3080 vmzeus_3.3.2.0.vir.exe ctrlMicrosoft.exe PID 3080 wrote to memory of 3896 3080 vmzeus_3.3.2.0.vir.exe ctrlMicrosoft.exe PID 3080 wrote to memory of 2628 3080 vmzeus_3.3.2.0.vir.exe cmd.exe PID 3080 wrote to memory of 2628 3080 vmzeus_3.3.2.0.vir.exe cmd.exe PID 3080 wrote to memory of 2628 3080 vmzeus_3.3.2.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ctrlMicrosoft.exepid process 3896 ctrlMicrosoft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.2.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.2.0.vir.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 6322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 6042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\ctrlMicrosoft.exe"C:\Users\Admin\AppData\Roaming\Microsoft\ctrlMicrosoft.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 6243⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 3723⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 7683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 7323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 7123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 7763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 7403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 8203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 8763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 8323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 7963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 8923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 9923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 12483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 12563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 12163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 7242⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbdebc3ee.bat"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 2442⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpbdebc3ee.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\ctrlMicrosoft.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\ctrlMicrosoft.exe
-
memory/2628-24-0x0000000000000000-mapping.dmp
-
memory/3188-20-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/3188-16-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/3792-12-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/3792-7-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/3820-2-0x0000000004320000-0x0000000004321000-memory.dmpFilesize
4KB
-
memory/3820-3-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/3880-0-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/3880-1-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/3896-15-0x0000000000000000-mapping.dmp
-
memory/3896-19-0x0000000000000000-mapping.dmp
-
memory/3896-14-0x0000000000000000-mapping.dmp
-
memory/3896-11-0x0000000000000000-mapping.dmp
-
memory/3896-4-0x0000000000000000-mapping.dmp
-
memory/3896-17-0x0000000000000000-mapping.dmp
-
memory/3896-18-0x0000000000000000-mapping.dmp
-
memory/3896-13-0x0000000000000000-mapping.dmp
-
memory/3896-10-0x0000000000000000-mapping.dmp
-
memory/3896-21-0x0000000000000000-mapping.dmp
-
memory/3896-22-0x0000000000000000-mapping.dmp
-
memory/3896-23-0x0000000000000000-mapping.dmp
-
memory/3896-9-0x0000000000000000-mapping.dmp
-
memory/3896-8-0x0000000000000000-mapping.dmp