Analysis
-
max time kernel
146s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:48
Static task
static1
Behavioral task
behavioral1
Sample
1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe
Resource
win10v2004-en-20220113
General
-
Target
1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe
-
Size
58KB
-
MD5
36aa94ab44a004b13682d76ed9a9249b
-
SHA1
f33a46ca0a9ff722d64f0f9c3b03a14374d1a5ef
-
SHA256
1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5
-
SHA512
d44c7e6043b63902be79b94bd4930e8eb66f944b4aeb1dca759aab7c61debb89edcf4a7d0dba905254c661bddbb8262b5b91f984a3425a66c4ef43bc0e9f8196
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1292 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exepid process 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exedescription pid process Token: SeIncBasePriorityPrivilege 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.execmd.exedescription pid process target process PID 1224 wrote to memory of 1636 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe MediaCenter.exe PID 1224 wrote to memory of 1636 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe MediaCenter.exe PID 1224 wrote to memory of 1636 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe MediaCenter.exe PID 1224 wrote to memory of 1636 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe MediaCenter.exe PID 1224 wrote to memory of 1292 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe cmd.exe PID 1224 wrote to memory of 1292 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe cmd.exe PID 1224 wrote to memory of 1292 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe cmd.exe PID 1224 wrote to memory of 1292 1224 1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe cmd.exe PID 1292 wrote to memory of 1504 1292 cmd.exe PING.EXE PID 1292 wrote to memory of 1504 1292 cmd.exe PING.EXE PID 1292 wrote to memory of 1504 1292 cmd.exe PING.EXE PID 1292 wrote to memory of 1504 1292 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe"C:\Users\Admin\AppData\Local\Temp\1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1972cf18da195815e8382a3eea2eb2e77439c412d2092d6d058a3527cc8ef7d5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
208fa0ef42d25a03751e9e29cf13b4f4
SHA1eb739edba62aa6a9b38ba92acb52e7584ac2dd04
SHA256c599288f79d4309de6a1a99eed15c687e512f86fa2ff04221f6e355d690a2504
SHA512c02fd7b7e37d9a8c91848df78696a80d53d29b5442eec6f43e03ee085bbb0ae6d5e881c8ff818d5399d379f7f787aade78c654b17da140e64ad4d56a43d6bcc5
-
MD5
208fa0ef42d25a03751e9e29cf13b4f4
SHA1eb739edba62aa6a9b38ba92acb52e7584ac2dd04
SHA256c599288f79d4309de6a1a99eed15c687e512f86fa2ff04221f6e355d690a2504
SHA512c02fd7b7e37d9a8c91848df78696a80d53d29b5442eec6f43e03ee085bbb0ae6d5e881c8ff818d5399d379f7f787aade78c654b17da140e64ad4d56a43d6bcc5
-
MD5
208fa0ef42d25a03751e9e29cf13b4f4
SHA1eb739edba62aa6a9b38ba92acb52e7584ac2dd04
SHA256c599288f79d4309de6a1a99eed15c687e512f86fa2ff04221f6e355d690a2504
SHA512c02fd7b7e37d9a8c91848df78696a80d53d29b5442eec6f43e03ee085bbb0ae6d5e881c8ff818d5399d379f7f787aade78c654b17da140e64ad4d56a43d6bcc5