610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb

General

Target

610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe
Size

68KB
MD5

1d6c90d80ed41db48e6a4df1d4e474b0
SHA1

9b9bb111792fccdb55aad65d9823f17710816e36
SHA256

610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb
SHA512

fcd1ae1fea1bd55df28c14c03a5dc0cbb2e66894edb200e22915a88fae594c39b72d05ac40232ff7e911fbf4920f3b953cb6f0a5df4e4981913f89d6693cbeb0
SSDEEP

1536:lAUg7Xm0RmNAtk4myu4H1epSF3P5i8EKwr:lwa04N6myue4u5Qlr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe

Executes dropped EXE 2 IoCs

pid	Process
856	winusm.exe
516	winusm.exe

Loads dropped DLL 1 IoCs

pid	Process
1316	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows System = "C:\\Users\\Admin\\P-7-78-8964-9648-3874\\winusm.exe"	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 856 set thread context of 516	856	winusm.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 1272 wrote to memory of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 1272 wrote to memory of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 1272 wrote to memory of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 1272 wrote to memory of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 1272 wrote to memory of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 1272 wrote to memory of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 1272 wrote to memory of 1316	1272	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	27
PID 1316 wrote to memory of 856	1316	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	28
PID 1316 wrote to memory of 856	1316	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	28
PID 1316 wrote to memory of 856	1316	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	28
PID 1316 wrote to memory of 856	1316	610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe	28
PID 856 wrote to memory of 516	856	winusm.exe	29
PID 856 wrote to memory of 516	856	winusm.exe	29
PID 856 wrote to memory of 516	856	winusm.exe	29
PID 856 wrote to memory of 516	856	winusm.exe	29
PID 856 wrote to memory of 516	856	winusm.exe	29
PID 856 wrote to memory of 516	856	winusm.exe	29
PID 856 wrote to memory of 516	856	winusm.exe	29
PID 856 wrote to memory of 516	856	winusm.exe	29

C:\Users\Admin\AppData\Local\Temp\610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe
"C:\Users\Admin\AppData\Local\Temp\610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe
  C:\Users\Admin\AppData\Local\Temp\610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
    "C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
      C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
      4⤵
      Executes dropped EXE
      PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe

Filesize
68KB

MD5
1d6c90d80ed41db48e6a4df1d4e474b0

SHA1
9b9bb111792fccdb55aad65d9823f17710816e36

SHA256
610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb

SHA512
fcd1ae1fea1bd55df28c14c03a5dc0cbb2e66894edb200e22915a88fae594c39b72d05ac40232ff7e911fbf4920f3b953cb6f0a5df4e4981913f89d6693cbeb0

Download Submit
C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe

Filesize
68KB

MD5
1d6c90d80ed41db48e6a4df1d4e474b0

SHA1
9b9bb111792fccdb55aad65d9823f17710816e36

SHA256
610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb

SHA512
fcd1ae1fea1bd55df28c14c03a5dc0cbb2e66894edb200e22915a88fae594c39b72d05ac40232ff7e911fbf4920f3b953cb6f0a5df4e4981913f89d6693cbeb0

Download Submit
\Users\Admin\P-7-78-8964-9648-3874\winusm.exe

Filesize
68KB

MD5
1d6c90d80ed41db48e6a4df1d4e474b0

SHA1
9b9bb111792fccdb55aad65d9823f17710816e36

SHA256
610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb

SHA512
fcd1ae1fea1bd55df28c14c03a5dc0cbb2e66894edb200e22915a88fae594c39b72d05ac40232ff7e911fbf4920f3b953cb6f0a5df4e4981913f89d6693cbeb0

Download Submit
memory/516-73-0x0000000000411D80-mapping.dmp

Download
memory/856-66-0x0000000000000000-mapping.dmp

Download
memory/1316-58-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1316-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1316-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1316-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1316-61-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1316-59-0x0000000000411D80-mapping.dmp

Download
memory/1316-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1316-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1316-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads