fa5f5817b08add918117f89e06e53abea40fcda0ae3ae588622f9c1a73202cae

General

Target

vmzeus_3.3.2.0.vir.exe
Size

248KB
MD5

f1478eb97a80b4dc8113447d52764527
SHA1

ad9a1528b5dcf820f0790f8f2ffefa8839cd43a0
SHA256

fa5f5817b08add918117f89e06e53abea40fcda0ae3ae588622f9c1a73202cae
SHA512

fe94c73f9819a855f383bc7c5e77dd191405a34d04526c198bb22e328fe1c4fca7eda39c8631fffeec45fe677a6e3deea8a6841ad721b2c936930c0d89ac0914

Score

8^/10

evasion persistence

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ctrlMicrosoft.exe

pid process

3896 ctrlMicrosoft.exe

pid	process
3896	ctrlMicrosoft.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

vmzeus_3.3.2.0.vir.exectrlMicrosoft.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE	vmzeus_3.3.2.0.vir.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE	ctrlMicrosoft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ctrlMicrosoft.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run	ctrlMicrosoft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\{084A38E2-BCE0-66B6-CD4F-4C17F2B4ED67} = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ctrlMicrosoft.exe"	ctrlMicrosoft.exe

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3880	3080	WerFault.exe	vmzeus_3.3.2.0.vir.exe
3820	3080	WerFault.exe	vmzeus_3.3.2.0.vir.exe
3792	3896	WerFault.exe	ctrlMicrosoft.exe
3188	3896	WerFault.exe	ctrlMicrosoft.exe
2456	3080	WerFault.exe	vmzeus_3.3.2.0.vir.exe
2228	3896	WerFault.exe	ctrlMicrosoft.exe
2068	3080	WerFault.exe	vmzeus_3.3.2.0.vir.exe
3788	3896	WerFault.exe	ctrlMicrosoft.exe
3736	3896	WerFault.exe	ctrlMicrosoft.exe
3728	3896	WerFault.exe	ctrlMicrosoft.exe
496	3896	WerFault.exe	ctrlMicrosoft.exe
640	3896	WerFault.exe	ctrlMicrosoft.exe
844	3896	WerFault.exe	ctrlMicrosoft.exe
1020	3896	WerFault.exe	ctrlMicrosoft.exe
608	3896	WerFault.exe	ctrlMicrosoft.exe
1152	3896	WerFault.exe	ctrlMicrosoft.exe
1308	3896	WerFault.exe	ctrlMicrosoft.exe
1456	3896	WerFault.exe	ctrlMicrosoft.exe
1520	3896	WerFault.exe	ctrlMicrosoft.exe
3880	3896	WerFault.exe	ctrlMicrosoft.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3880	WerFault.exe
Token: SeBackupPrivilege	3880	WerFault.exe
Token: SeDebugPrivilege	3880	WerFault.exe
Token: SeDebugPrivilege	3820	WerFault.exe
Token: SeDebugPrivilege	3792	WerFault.exe
Token: SeDebugPrivilege	3188	WerFault.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exectrlMicrosoft.exe

pid	process
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3188	WerFault.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe
3896	ctrlMicrosoft.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

vmzeus_3.3.2.0.vir.exe

description	pid	process	target process
PID 3080 wrote to memory of 3896	3080	vmzeus_3.3.2.0.vir.exe	ctrlMicrosoft.exe
PID 3080 wrote to memory of 3896	3080	vmzeus_3.3.2.0.vir.exe	ctrlMicrosoft.exe
PID 3080 wrote to memory of 3896	3080	vmzeus_3.3.2.0.vir.exe	ctrlMicrosoft.exe
PID 3080 wrote to memory of 2628	3080	vmzeus_3.3.2.0.vir.exe	cmd.exe
PID 3080 wrote to memory of 2628	3080	vmzeus_3.3.2.0.vir.exe	cmd.exe
PID 3080 wrote to memory of 2628	3080	vmzeus_3.3.2.0.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

ctrlMicrosoft.exe

pid process

3896 ctrlMicrosoft.exe

pid	process
3896	ctrlMicrosoft.exe

C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.2.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\vmzeus_3.3.2.0.vir.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 632
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 604
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3820

C:\Users\Admin\AppData\Roaming\Microsoft\ctrlMicrosoft.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\ctrlMicrosoft.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 624
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 372
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 768
3⤵
- Program crash
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 732
3⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 712
3⤵
- Program crash
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 776
3⤵
- Program crash
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 740
3⤵
- Program crash
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 820
3⤵
- Program crash
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 876
3⤵
- Program crash
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 832
3⤵
- Program crash
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 796
3⤵
- Program crash
PID:608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 892
3⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 992
3⤵
- Program crash
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1248
3⤵
- Program crash
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1256
3⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1216
3⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 724
2⤵
- Program crash
PID:2456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbdebc3ee.bat"
2⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 244
2⤵
- Program crash
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbdebc3ee.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ctrlMicrosoft.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ctrlMicrosoft.exe

Download Submit
memory/2628-24-0x0000000000000000-mapping.dmp

Download
memory/3188-20-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3188-16-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/3792-12-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3792-7-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/3820-2-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/3820-3-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/3880-0-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/3880-1-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3896-15-0x0000000000000000-mapping.dmp

Download
memory/3896-19-0x0000000000000000-mapping.dmp

Download
memory/3896-14-0x0000000000000000-mapping.dmp

Download
memory/3896-11-0x0000000000000000-mapping.dmp

Download
memory/3896-4-0x0000000000000000-mapping.dmp

Download
memory/3896-17-0x0000000000000000-mapping.dmp

Download
memory/3896-18-0x0000000000000000-mapping.dmp

Download
memory/3896-13-0x0000000000000000-mapping.dmp

Download
memory/3896-10-0x0000000000000000-mapping.dmp

Download
memory/3896-21-0x0000000000000000-mapping.dmp

Download
memory/3896-22-0x0000000000000000-mapping.dmp

Download
memory/3896-23-0x0000000000000000-mapping.dmp

Download
memory/3896-9-0x0000000000000000-mapping.dmp

Download
memory/3896-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads