7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4

General

Target

7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe
Size

113KB
MD5

b3537a685e23afc74e0c1a826a05b9f0
SHA1

f1d3b51c72286c355f0a9c593534acfe967e37e7
SHA256

7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4
SHA512

b5460cff3779ffb7e137656f61849c989e80f3be8a09ce4ff15dc4cb6a625df22489063a7681d7b171e4a7848b6d8e15dad35e72a3dbd6337d77739945e573c8
SSDEEP

1536:4vX0Fsao+upmcDuZMrlXmKhpUgGZ0IDbl40SdgjcP:l29RX5UHZ0I9oe6

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe = "C:\\Users\\Admin\\P-7-78-8964-9648-3874\\wincrs.exe:*:Enabled:Microsoft Windows System"	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe

Executes dropped EXE 2 IoCs

pid	Process
1496	wincrs.exe
1872	wincrs.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe
1968	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows System = "C:\\Users\\Admin\\P-7-78-8964-9648-3874\\wincrs.exe"	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 1496 set thread context of 1872	1496	wincrs.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 2008 wrote to memory of 1968	2008	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	27
PID 1968 wrote to memory of 1496	1968	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	28
PID 1968 wrote to memory of 1496	1968	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	28
PID 1968 wrote to memory of 1496	1968	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	28
PID 1968 wrote to memory of 1496	1968	7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe	28
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29
PID 1496 wrote to memory of 1872	1496	wincrs.exe	29

C:\Users\Admin\AppData\Local\Temp\7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe
"C:\Users\Admin\AppData\Local\Temp\7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe
  "C:\Users\Admin\AppData\Local\Temp\7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4.exe"
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe
    "C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe
      "C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe"
      4⤵
      Executes dropped EXE
      PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
113KB

MD5
b3537a685e23afc74e0c1a826a05b9f0

SHA1
f1d3b51c72286c355f0a9c593534acfe967e37e7

SHA256
7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4

SHA512
b5460cff3779ffb7e137656f61849c989e80f3be8a09ce4ff15dc4cb6a625df22489063a7681d7b171e4a7848b6d8e15dad35e72a3dbd6337d77739945e573c8

Download Submit
C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
113KB

MD5
b3537a685e23afc74e0c1a826a05b9f0

SHA1
f1d3b51c72286c355f0a9c593534acfe967e37e7

SHA256
7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4

SHA512
b5460cff3779ffb7e137656f61849c989e80f3be8a09ce4ff15dc4cb6a625df22489063a7681d7b171e4a7848b6d8e15dad35e72a3dbd6337d77739945e573c8

Download Submit
C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
113KB

MD5
b3537a685e23afc74e0c1a826a05b9f0

SHA1
f1d3b51c72286c355f0a9c593534acfe967e37e7

SHA256
7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4

SHA512
b5460cff3779ffb7e137656f61849c989e80f3be8a09ce4ff15dc4cb6a625df22489063a7681d7b171e4a7848b6d8e15dad35e72a3dbd6337d77739945e573c8

Download Submit
\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
113KB

MD5
b3537a685e23afc74e0c1a826a05b9f0

SHA1
f1d3b51c72286c355f0a9c593534acfe967e37e7

SHA256
7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4

SHA512
b5460cff3779ffb7e137656f61849c989e80f3be8a09ce4ff15dc4cb6a625df22489063a7681d7b171e4a7848b6d8e15dad35e72a3dbd6337d77739945e573c8

Download Submit
\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe

Filesize
113KB

MD5
b3537a685e23afc74e0c1a826a05b9f0

SHA1
f1d3b51c72286c355f0a9c593534acfe967e37e7

SHA256
7b3f5c89f5f93a9ae82efe1d046ffd7766b51f4607e6b577de6a738e6b80ade4

SHA512
b5460cff3779ffb7e137656f61849c989e80f3be8a09ce4ff15dc4cb6a625df22489063a7681d7b171e4a7848b6d8e15dad35e72a3dbd6337d77739945e573c8

Download Submit
memory/1496-87-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1968-61-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1968-68-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1968-69-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1968-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1968-62-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1968-60-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1968-58-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1968-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1968-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2008-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2008-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads