Malware analysis VUMVHM3RZP.exe Malicious activity | ANY.RUN

Add for printing

File name:	VUMVHM3RZP.exe
Full analysis:	https://app.any.run/tasks/41d31e1e-e713-452d-a171-93aaf84e8de2
Verdict:	Malicious activity
Analysis date:	June 14, 2024, 16:56:35
OS:	Ubuntu 22.04.2
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	6785144A0ECB7FB6754C61DA7BA3612B
SHA1:	83528AB1782A9D21A82845DD1F519ED3F252B61A
SHA256:	7DD73AF4A4845B7DF80AD1AABD8FC269395C9BA515312E26645E6339CB9FD765
SSDEEP:	98304:a5RqtGVHKCvSaJhGcGN8khq8hUdbAObtIEOI9NxKntDTCICoSu8pIKNvQzLDE+iy:xBF9M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- Modifies hosts file
  - wine64 (PID: 13422)
- Drops the executable file immediately after the start
  - dpkg (PID: 13136)
SUSPICIOUS
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 12951)
  - wine64 (PID: 13417)
- Executes commands using command-line interpreter
  - apt (PID: 13069)
  - gnome-terminal-server (PID: 13014)
  - su (PID: 13059)
  - dpkg-preconfigure (PID: 13121)
  - apt (PID: 13319)
  - update-notifier (PID: 13365)
- Executable content was dropped or overwritten
  - dpkg (PID: 13136)
- Process drops legitimate windows executable
  - dpkg (PID: 13136)
- Executes the "rm" command to delete files or directories
  - dpkg (PID: 13136)
  - update-motd-updates-available (PID: 13325)
- Creates or rewrites file in the "bin" folder
  - dpkg (PID: 13136)
- Changes time attribute to hide new files or make changes to the existing one
  - sh (PID: 13323)
- Reads /proc/mounts (likely used to find writable filesystems)
  - check-new-release-gtk (PID: 13367)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:05:22 18:02:05+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.39
CodeSize:	967168
InitializedDataSize:	2172416
UninitializedDataSize:	-
EntryPoint:	0x510bed
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

563

Monitored processes

348

Malicious processes

5

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
12926	sh -c "file --mime-type /tmp/VUMVHM3RZP\.exe"	/bin/sh	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 0
12927	file --mime-type /tmp/VUMVHM3RZP.exe	/usr/bin/file	—	sh
User: root Integrity Level: UNKNOWN Exit code: 0
12928	/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus /tmp/VUMVHM3RZP\.exe "	/bin/sh	—	any-guest-agent
User: user Integrity Level: UNKNOWN Exit code: 13007
12929	sudo -iu user nautilus /tmp/VUMVHM3RZP.exe	/usr/bin/sudo	—	sh
User: user Integrity Level: UNKNOWN Exit code: 12996
12930	nautilus /tmp/VUMVHM3RZP.exe	/usr/bin/nautilus	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 12996
12931	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	nautilus
User: user Integrity Level: UNKNOWN Exit code: 0
12946	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 482
12951	/lib/systemd/systemd-hostnamed	/lib/systemd/systemd-hostnamed	—	systemd
User: root Integrity Level: UNKNOWN Exit code: 1195
12952	/usr/lib/snapd/snapd	/snap/snapd/20290/usr/lib/snapd/snapd	—	snapd
User: root Integrity Level: UNKNOWN
12959	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 482

Add for printing

Executable files

475

Suspicious files

72

Text files

233

Unknown types

4

Dropped files

PID	Process	Filename		Type
12930	nautilus	/home/user/.local/share/nautilus/tags/meta.db		binary
		MD5:—	SHA256:—
13121	dpkg-preconfigure	/var/cache/debconf/config.dat		text
		MD5:—	SHA256:—
13121	dpkg-preconfigure	/var/cache/debconf/templates.dat		text
		MD5:—	SHA256:—
12930	nautilus	/home/user/.local/share/recently-used.xbel		xml
		MD5:—	SHA256:—
12930	nautilus	/home/user/.local/share/recently-used.xbel.6ZB0O2		xml
		MD5:—	SHA256:—
12930	nautilus	/home/user/.local/share/nautilus/tags/meta.db-shm (deleted)		binary
		MD5:—	SHA256:—
13069	apt	/tmp/#6029359 (deleted)		text
		MD5:—	SHA256:—
13069	apt	/tmp/#6029364 (deleted)		text
		MD5:—	SHA256:—
13069	apt	/tmp/#6029378 (deleted)		text
		MD5:—	SHA256:—
13069	apt	/tmp/#6029379 (deleted)		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

20

TCP/UDP connections

20

DNS requests

24

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	unknown
13116	http	GET	—	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/main/libd/libdecor-0/libdecor-0-0_0.1.0-3build1_amd64.deb	unknown	—	—	unknown
13116	http	GET	—	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/main/libd/libdecor-0/libdecor-0-plugin-1-cairo_0.1.0-3build1_amd64.deb	unknown	—	—	unknown
13116	http	GET	200	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/universe/w/wine/fonts-wine_6.0.3%7erepack-1_all.deb	unknown	—	—	unknown
13116	http	GET	—	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/main/libs/libsdl2/libsdl2-2.0-0_2.0.20%2bdfsg-2build1_amd64.deb	unknown	—	—	unknown
13116	http	GET	—	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/universe/libs/libstb/libstb0_0.0%7egit20210910.af1a5bc%2bds-1_amd64.deb	unknown	—	—	unknown
13116	http	GET	—	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/universe/f/faudio/libfaudio0_22.02-1_amd64.deb	unknown	—	—	unknown
13116	http	GET	—	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/universe/libg/libgsm/libgsm1_1.0.19-1_amd64.deb	unknown	—	—	unknown
13116	http	GET	—	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/main/u/unixodbc/libodbc2_2.3.9-5_amd64.deb	unknown	—	—	unknown
13116	http	GET	—	185.125.190.81:80	http://archive.ubuntu.com/ubuntu/pool/universe/o/openal-soft/libopenal-data_1.19.1-2build3_all.deb	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
470	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.48:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	unknown
—	—	185.125.190.49:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	unknown
—	—	156.146.33.140:443	odrs.gnome.org	Datacamp Limited	DE	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
485	snapd	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	malicious
485	snapd	185.125.188.58:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
485	snapd	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
13116	http	185.125.190.81:80	archive.ubuntu.com	Canonical Group Limited	GB	unknown
485	snapd	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	unknown

DNS requests

Domain	IP	Reputation
odrs.gnome.org	156.146.33.140 156.146.33.138 156.146.33.14 195.181.175.16 212.102.56.178 195.181.175.40 195.181.170.18 212.102.56.182 2a02:6ea0:c700::11 2a02:6ea0:c700::17 2a02:6ea0:c700::18 2a02:6ea0:c700::19 2a02:6ea0:c700::21 2a02:6ea0:c700::22 2a02:6ea0:c700::101 2a02:6ea0:c700::10	unknown
api.snapcraft.io	185.125.188.55 185.125.188.58 185.125.188.59 185.125.188.54	unknown
224.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2001:67c:1562::23 2620:2d:4000:1::98 2620:2d:4002:1::197 2620:2d:4000:1::23 2620:2d:4000:1::2a 2620:2d:4002:1::196 2620:2d:4000:1::96 2620:2d:4000:1::22 2001:67c:1562::24 2620:2d:4000:1::2b 2620:2d:4000:1::97 2620:2d:4002:1::198 185.125.190.98 91.189.91.98 91.189.91.48 185.125.190.49 185.125.190.48 91.189.91.49 91.189.91.96 185.125.190.18 185.125.190.17 91.189.91.97 185.125.190.96 185.125.190.97	unknown
_http._tcp.archive.ubuntu.com	—	unknown
archive.ubuntu.com	185.125.190.81 91.189.91.83 91.189.91.81 91.189.91.82 185.125.190.83 185.125.190.82 2620:2d:4000:1::102 2620:2d:4002:1::103 2620:2d:4000:1::101 2620:2d:4002:1::102 2620:2d:4000:1::103 2620:2d:4002:1::101	unknown
changelogs.ubuntu.com	185.125.190.17 91.189.91.48 91.189.91.49 185.125.190.18 2620:2d:4000:1::2b 2620:2d:4000:1::2a	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

VUMVHM3RZP.exe

6785144A0ECB7FB6754C61DA7BA3612B

83528AB1782A9D21A82845DD1F519ED3F252B61A

7DD73AF4A4845B7DF80AD1AABD8FC269395C9BA515312E26645E6339CB9FD765

98304:a5RqtGVHKCvSaJhGcGN8khq8hUdbAObtIEOI9NxKntDTCICoSu8pIKNvQzLDE+iy:xBF9M

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Modifies hosts file

Drops the executable file immediately after the start

SUSPICIOUS

Checks DMI information (probably VM detection)

Executes commands using command-line interpreter

Executable content was dropped or overwritten

Process drops legitimate windows executable

Executes the "rm" command to delete files or directories

Creates or rewrites file in the "bin" folder

Changes time attribute to hide new files or make changes to the existing one

Reads /proc/mounts (likely used to find writable filesystems)

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings