fd186d10665fce43ab40e833829c2ce313210c046e545d1900de581b54b40130

General

Target

6d15f0bad6a5098b3fbccf9093abf880_exe32.exe
Size

208KB
MD5

6d15f0bad6a5098b3fbccf9093abf880
SHA1

5ff229caebf2d770ce6b36164895fc0db751004a
SHA256

fd186d10665fce43ab40e833829c2ce313210c046e545d1900de581b54b40130
SHA512

91bbda193a2b400372b2062f6ce70a3e61ad46daf6224dcd304a4b75d71d71465ef825918a8c28d5f34a6772e739855c0786c4f3a679f4e4ce2bf53bf8d8d4bd
SSDEEP

6144:vEmQNhpmnlBeLb8jNKZnWXd5gHgnT6SeTYnseOEXQEj1:vyNhpmnwnkNOyQC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2612	VMS.exe

Loads dropped DLL 2 IoCs

pid	Process
2940	cmd.exe
2940	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\VMS.exe	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe
File opened for modification	C:\windows\system\VMS.exe	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe
File created	C:\windows\system\VMS.exe.bat	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2988	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe
2612	VMS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2988	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe
2988	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe
2612	VMS.exe
2612	VMS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2940	2988	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe	28
PID 2988 wrote to memory of 2940	2988	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe	28
PID 2988 wrote to memory of 2940	2988	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe	28
PID 2988 wrote to memory of 2940	2988	6d15f0bad6a5098b3fbccf9093abf880_exe32.exe	28
PID 2940 wrote to memory of 2612	2940	cmd.exe	30
PID 2940 wrote to memory of 2612	2940	cmd.exe	30
PID 2940 wrote to memory of 2612	2940	cmd.exe	30
PID 2940 wrote to memory of 2612	2940	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\6d15f0bad6a5098b3fbccf9093abf880_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\6d15f0bad6a5098b3fbccf9093abf880_exe32.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\VMS.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\windows\system\VMS.exe
    C:\windows\system\VMS.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\VMS.exe

Filesize
208KB

MD5
11b5d3a6320a8c319cf8f3bde0058874

SHA1
a61f821af1dc06ac6c3974d4d0f54b0aca853c9b

SHA256
8c444eca0ee136f8074a4cd65227148028e8e8fab892be844d03f204b6ea5cf9

SHA512
18e3e9d146e89427017942d131b3de30d6fed2cfe2f0b0ebdd462ccfc94c58f0a834b927aa7845d0cb431f8de4da73525cb1b8b16fdc9a8a76b70feb10d90d12

Download Submit
C:\Windows\system\VMS.exe.bat

Filesize
66B

MD5
b75a70575964f1d5b8efb7f7188e6f34

SHA1
48c023afda7cab28e8a4d83fa757d41732cb544f

SHA256
7f9e380e4d5faf39dcbd06626fbbbcc7cb8a4bd208aa8cd7483c36dc1e6598ec

SHA512
9a212075d07fd5e687ad3d5dd395e0d67c6ca38a4f6c778f83bc9634013b4c3a2cc5698c63202a0c161fc8544964b558bc7ac6b55181c9f9c1737ecc06e6a183

Download Submit
C:\windows\system\VMS.exe

Filesize
208KB

MD5
11b5d3a6320a8c319cf8f3bde0058874

SHA1
a61f821af1dc06ac6c3974d4d0f54b0aca853c9b

SHA256
8c444eca0ee136f8074a4cd65227148028e8e8fab892be844d03f204b6ea5cf9

SHA512
18e3e9d146e89427017942d131b3de30d6fed2cfe2f0b0ebdd462ccfc94c58f0a834b927aa7845d0cb431f8de4da73525cb1b8b16fdc9a8a76b70feb10d90d12

Download Submit
C:\windows\system\VMS.exe.bat

Filesize
66B

MD5
b75a70575964f1d5b8efb7f7188e6f34

SHA1
48c023afda7cab28e8a4d83fa757d41732cb544f

SHA256
7f9e380e4d5faf39dcbd06626fbbbcc7cb8a4bd208aa8cd7483c36dc1e6598ec

SHA512
9a212075d07fd5e687ad3d5dd395e0d67c6ca38a4f6c778f83bc9634013b4c3a2cc5698c63202a0c161fc8544964b558bc7ac6b55181c9f9c1737ecc06e6a183

Download Submit
\Windows\system\VMS.exe

Filesize
208KB

MD5
11b5d3a6320a8c319cf8f3bde0058874

SHA1
a61f821af1dc06ac6c3974d4d0f54b0aca853c9b

SHA256
8c444eca0ee136f8074a4cd65227148028e8e8fab892be844d03f204b6ea5cf9

SHA512
18e3e9d146e89427017942d131b3de30d6fed2cfe2f0b0ebdd462ccfc94c58f0a834b927aa7845d0cb431f8de4da73525cb1b8b16fdc9a8a76b70feb10d90d12

Download Submit
\Windows\system\VMS.exe

Filesize
208KB

MD5
11b5d3a6320a8c319cf8f3bde0058874

SHA1
a61f821af1dc06ac6c3974d4d0f54b0aca853c9b

SHA256
8c444eca0ee136f8074a4cd65227148028e8e8fab892be844d03f204b6ea5cf9

SHA512
18e3e9d146e89427017942d131b3de30d6fed2cfe2f0b0ebdd462ccfc94c58f0a834b927aa7845d0cb431f8de4da73525cb1b8b16fdc9a8a76b70feb10d90d12

Download Submit
memory/2612-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2940-16-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2940-20-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2988-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2988-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing