Analysis
-
max time kernel
119s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:33
Static task
static1
Behavioral task
behavioral1
Sample
175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe
Resource
win10v2004-en-20220113
General
-
Target
175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe
-
Size
36KB
-
MD5
d726521aa21fcf505dc48654ba450692
-
SHA1
ef3c9adc64f7e411d81dcdc93ed00bf0f01a9033
-
SHA256
175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49
-
SHA512
a82dd4214eb5c37294c068af7c8da8fb84677d5fe8d9fb7d43149e6ab8f4f8b40773d2a8b11c61c8aad4ff14b86362782fddc96b4a54e41951f3cfa6e3770215
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1796 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exepid process 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.execmd.exedescription pid process target process PID 1608 wrote to memory of 1796 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe MediaCenter.exe PID 1608 wrote to memory of 1796 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe MediaCenter.exe PID 1608 wrote to memory of 1796 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe MediaCenter.exe PID 1608 wrote to memory of 1796 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe MediaCenter.exe PID 1608 wrote to memory of 392 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe cmd.exe PID 1608 wrote to memory of 392 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe cmd.exe PID 1608 wrote to memory of 392 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe cmd.exe PID 1608 wrote to memory of 392 1608 175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe cmd.exe PID 392 wrote to memory of 1632 392 cmd.exe PING.EXE PID 392 wrote to memory of 1632 392 cmd.exe PING.EXE PID 392 wrote to memory of 1632 392 cmd.exe PING.EXE PID 392 wrote to memory of 1632 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe"C:\Users\Admin\AppData\Local\Temp\175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\175082e34cd413bbe7f17705b14440ee80fbe791d63311f228cdbc98d44c1f49.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a885c0a102544a56fb4db5ec34f9cb57
SHA14c9218fc83360b8f65a786b02297b91c7a58a76c
SHA256dc1ceb1a800d2590a53ef391edff4ec3f3e482f227dfb97fac16ca09ffd13542
SHA51209c69512bb6c52182a6672eda39411bd63395586feebbf2955a2be1c626211310425481cbf2799a638608596e1dd778811d17c455de0ac7f5097663233ef09b5
-
MD5
a885c0a102544a56fb4db5ec34f9cb57
SHA14c9218fc83360b8f65a786b02297b91c7a58a76c
SHA256dc1ceb1a800d2590a53ef391edff4ec3f3e482f227dfb97fac16ca09ffd13542
SHA51209c69512bb6c52182a6672eda39411bd63395586feebbf2955a2be1c626211310425481cbf2799a638608596e1dd778811d17c455de0ac7f5097663233ef09b5
-
MD5
a885c0a102544a56fb4db5ec34f9cb57
SHA14c9218fc83360b8f65a786b02297b91c7a58a76c
SHA256dc1ceb1a800d2590a53ef391edff4ec3f3e482f227dfb97fac16ca09ffd13542
SHA51209c69512bb6c52182a6672eda39411bd63395586feebbf2955a2be1c626211310425481cbf2799a638608596e1dd778811d17c455de0ac7f5097663233ef09b5