689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705

General

Target

689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe
Size

136KB
MD5

d52562e3797307875cbd3087e3774d32
SHA1

7668fe1e08196332f195ab889ec4f10b4a997bdb
SHA256

689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705
SHA512

544190a93fd85c8eadfa3533b8155db04a67068fb52fc080811e552231fd5588f27f851f5ff46c0c7579efb303a16d1cc18eafde4b65bcd981e15a4e8a2988bb
SSDEEP

3072:B9fpaVgrXWJuH7RgAiGkfM1+rS3vK0Ya71:vpQgrmJG7Rgo/+rS3SP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe = "C:\\Users\\Admin\\P-7-78-8964-9648-3874\\wincrs.exe:*:Enabled:Microsoft Windows System"	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe

Executes dropped EXE 2 IoCs

pid	Process
1640	wincrs.exe
1104	wincrs.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe
1952	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows System = "C:\\Users\\Admin\\P-7-78-8964-9648-3874\\wincrs.exe"	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 1640 set thread context of 1104	1640	wincrs.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 2024 wrote to memory of 1952	2024	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	26
PID 1952 wrote to memory of 1640	1952	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	27
PID 1952 wrote to memory of 1640	1952	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	27
PID 1952 wrote to memory of 1640	1952	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	27
PID 1952 wrote to memory of 1640	1952	689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe	27
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28
PID 1640 wrote to memory of 1104	1640	wincrs.exe	28

C:\Users\Admin\AppData\Local\Temp\689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe
"C:\Users\Admin\AppData\Local\Temp\689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe
  "C:\Users\Admin\AppData\Local\Temp\689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705.exe"
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe
    "C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe
      "C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe"
      4⤵
      Executes dropped EXE
      PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
136KB

MD5
d52562e3797307875cbd3087e3774d32

SHA1
7668fe1e08196332f195ab889ec4f10b4a997bdb

SHA256
689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705

SHA512
544190a93fd85c8eadfa3533b8155db04a67068fb52fc080811e552231fd5588f27f851f5ff46c0c7579efb303a16d1cc18eafde4b65bcd981e15a4e8a2988bb

Download Submit
C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
136KB

MD5
d52562e3797307875cbd3087e3774d32

SHA1
7668fe1e08196332f195ab889ec4f10b4a997bdb

SHA256
689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705

SHA512
544190a93fd85c8eadfa3533b8155db04a67068fb52fc080811e552231fd5588f27f851f5ff46c0c7579efb303a16d1cc18eafde4b65bcd981e15a4e8a2988bb

Download Submit
C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
136KB

MD5
d52562e3797307875cbd3087e3774d32

SHA1
7668fe1e08196332f195ab889ec4f10b4a997bdb

SHA256
689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705

SHA512
544190a93fd85c8eadfa3533b8155db04a67068fb52fc080811e552231fd5588f27f851f5ff46c0c7579efb303a16d1cc18eafde4b65bcd981e15a4e8a2988bb

Download Submit
\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
136KB

MD5
d52562e3797307875cbd3087e3774d32

SHA1
7668fe1e08196332f195ab889ec4f10b4a997bdb

SHA256
689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705

SHA512
544190a93fd85c8eadfa3533b8155db04a67068fb52fc080811e552231fd5588f27f851f5ff46c0c7579efb303a16d1cc18eafde4b65bcd981e15a4e8a2988bb

Download Submit
\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
136KB

MD5
d52562e3797307875cbd3087e3774d32

SHA1
7668fe1e08196332f195ab889ec4f10b4a997bdb

SHA256
689824e4d4b3b6ddac6544d68a4878dfb6b558827da5c776913d154119b35705

SHA512
544190a93fd85c8eadfa3533b8155db04a67068fb52fc080811e552231fd5588f27f851f5ff46c0c7579efb303a16d1cc18eafde4b65bcd981e15a4e8a2988bb

Download Submit
memory/1952-59-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1952-64-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1952-68-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1952-69-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1952-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1952-62-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1952-61-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1952-57-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1952-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2024-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads