Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:35
Static task
static1
Behavioral task
behavioral1
Sample
174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe
Resource
win10v2004-en-20220112
General
-
Target
174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe
-
Size
60KB
-
MD5
da71795a151fe492b2c452fb111e9c9d
-
SHA1
02e5fd512c7a8fe82e536be6815d80d6b98e3356
-
SHA256
174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d
-
SHA512
71dc3f1ef0180c6467e097d479855114d5e1fb8fda9f17959be8e59135b04d49ec55879ce639670d7d903aa894b66727f57e085dd8281bc13b3ccc706dee0ead
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1100 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exepid process 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exedescription pid process Token: SeIncBasePriorityPrivilege 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.execmd.exedescription pid process target process PID 952 wrote to memory of 1100 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe MediaCenter.exe PID 952 wrote to memory of 1188 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe cmd.exe PID 952 wrote to memory of 1188 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe cmd.exe PID 952 wrote to memory of 1188 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe cmd.exe PID 952 wrote to memory of 1188 952 174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe cmd.exe PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe"C:\Users\Admin\AppData\Local\Temp\174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\174332edaa12a95d4b0f991b9d7514f88502556fc722156ee6edfd82d8c42f7d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f7aa8e65b4b289a0a9ae3ff5306ec355
SHA1d98980473ad45757f8580938b1d9c46371e8e5e6
SHA256e019a542ddd748d3ddc22f10e8aa7d5499cd1894bf5fc70199cb4be8c7a3e51d
SHA5125d747af1eac436884b11a8b2ee360c524f0fb4eaa654aaad65744a23f4db6e5009bef2bc04090c9cde8728b946b14c02215aa2e24a3e67559b3007b1a3dc4288
-
MD5
f7aa8e65b4b289a0a9ae3ff5306ec355
SHA1d98980473ad45757f8580938b1d9c46371e8e5e6
SHA256e019a542ddd748d3ddc22f10e8aa7d5499cd1894bf5fc70199cb4be8c7a3e51d
SHA5125d747af1eac436884b11a8b2ee360c524f0fb4eaa654aaad65744a23f4db6e5009bef2bc04090c9cde8728b946b14c02215aa2e24a3e67559b3007b1a3dc4288
-
MD5
f7aa8e65b4b289a0a9ae3ff5306ec355
SHA1d98980473ad45757f8580938b1d9c46371e8e5e6
SHA256e019a542ddd748d3ddc22f10e8aa7d5499cd1894bf5fc70199cb4be8c7a3e51d
SHA5125d747af1eac436884b11a8b2ee360c524f0fb4eaa654aaad65744a23f4db6e5009bef2bc04090c9cde8728b946b14c02215aa2e24a3e67559b3007b1a3dc4288