Analysis
-
max time kernel
150s -
max time network
66s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:32
Static task
static1
Behavioral task
behavioral1
Sample
vmzeus_3.2.5.2.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
vmzeus_3.2.5.2.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
vmzeus_3.2.5.2.vir.exe
-
Size
316KB
-
MD5
60eaea81c77422b615b2cfd50417c87e
-
SHA1
950612793a50dac774040a1e99ead2160e63657c
-
SHA256
3917759ae65f10aec4f9d5e5628fead573d8f3b4bba59a8f1fcd6692ec563436
-
SHA512
175588b7362ae09a0b575663604c97bd875eacd2b40ab9e945a4fa2f24472708b85c238738c057690551d636cefe9a58e5e4f46371171678a9cd4af3b3d3b559
Score
8/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
vmzeus_3.2.5.2.vir.exeAdobexpers.exedescription pid process target process PID 2564 set thread context of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 428 set thread context of 644 428 Adobexpers.exe Adobexpers.exe -
Executes dropped EXE 2 IoCs
Processes:
Adobexpers.exeAdobexpers.exepid process 428 Adobexpers.exe 644 Adobexpers.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Adobexpers.exepid process 644 Adobexpers.exe -
Suspicious behavior: EnumeratesProcesses 112 IoCs
Processes:
Adobexpers.exepid process 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe 644 Adobexpers.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
vmzeus_3.2.5.2.vir.exeAdobexpers.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE vmzeus_3.2.5.2.vir.exe Key opened \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\WINE Adobexpers.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Adobexpers.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run Adobexpers.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E355A565-C0C7-8C39-AAB3-9D20767CE672} = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobexpers.exe" Adobexpers.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vmzeus_3.2.5.2.vir.exeAdobexpers.exepid process 2564 vmzeus_3.2.5.2.vir.exe 428 Adobexpers.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
vmzeus_3.2.5.2.vir.exevmzeus_3.2.5.2.vir.exeAdobexpers.exedescription pid process target process PID 2564 wrote to memory of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 2564 wrote to memory of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 2564 wrote to memory of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 2564 wrote to memory of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 2564 wrote to memory of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 2564 wrote to memory of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 2564 wrote to memory of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 2564 wrote to memory of 3636 2564 vmzeus_3.2.5.2.vir.exe vmzeus_3.2.5.2.vir.exe PID 3636 wrote to memory of 428 3636 vmzeus_3.2.5.2.vir.exe Adobexpers.exe PID 3636 wrote to memory of 428 3636 vmzeus_3.2.5.2.vir.exe Adobexpers.exe PID 3636 wrote to memory of 428 3636 vmzeus_3.2.5.2.vir.exe Adobexpers.exe PID 428 wrote to memory of 644 428 Adobexpers.exe Adobexpers.exe PID 428 wrote to memory of 644 428 Adobexpers.exe Adobexpers.exe PID 428 wrote to memory of 644 428 Adobexpers.exe Adobexpers.exe PID 428 wrote to memory of 644 428 Adobexpers.exe Adobexpers.exe PID 428 wrote to memory of 644 428 Adobexpers.exe Adobexpers.exe PID 428 wrote to memory of 644 428 Adobexpers.exe Adobexpers.exe PID 428 wrote to memory of 644 428 Adobexpers.exe Adobexpers.exe PID 428 wrote to memory of 644 428 Adobexpers.exe Adobexpers.exe PID 3636 wrote to memory of 904 3636 vmzeus_3.2.5.2.vir.exe cmd.exe PID 3636 wrote to memory of 904 3636 vmzeus_3.2.5.2.vir.exe cmd.exe PID 3636 wrote to memory of 904 3636 vmzeus_3.2.5.2.vir.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vmzeus_3.2.5.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\vmzeus_3.2.5.2.vir.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vmzeus_3.2.5.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\vmzeus_3.2.5.2.vir.exe"2⤵
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobexpers.exe"C:\Users\Admin\AppData\Roaming\Adobe\Adobexpers.exe"3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobexpers.exe"C:\Users\Admin\AppData\Roaming\Adobe\Adobexpers.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb520b64e.bat"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpb520b64e.bat
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobexpers.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobexpers.exe
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobexpers.exe
-
memory/428-5-0x0000000000000000-mapping.dmp
-
memory/644-11-0x000000000043026E-mapping.dmp
-
memory/904-14-0x0000000000000000-mapping.dmp
-
memory/3636-2-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3636-3-0x000000000043026E-mapping.dmp
-
memory/3636-4-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB