Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe
Resource
win10v2004-en-20220112
General
-
Target
193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe
-
Size
35KB
-
MD5
549f5ca9b045d2553abb96a0d00a802f
-
SHA1
85c7f4d663bd0cacadf7970ea67547084db7edfc
-
SHA256
193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21
-
SHA512
ea12e296c68e42b6d640dd8fc7070afa3619619b0a7a6c72ee8c59491e3ebe94335d90c5e8e70d8b139cfdecda20a310babefb376d7e6b079583d8fd509a3092
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 740 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exepid process 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exedescription pid process Token: SeIncBasePriorityPrivilege 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.execmd.exedescription pid process target process PID 812 wrote to memory of 964 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe MediaCenter.exe PID 812 wrote to memory of 964 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe MediaCenter.exe PID 812 wrote to memory of 964 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe MediaCenter.exe PID 812 wrote to memory of 964 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe MediaCenter.exe PID 812 wrote to memory of 740 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe cmd.exe PID 812 wrote to memory of 740 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe cmd.exe PID 812 wrote to memory of 740 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe cmd.exe PID 812 wrote to memory of 740 812 193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe cmd.exe PID 740 wrote to memory of 960 740 cmd.exe PING.EXE PID 740 wrote to memory of 960 740 cmd.exe PING.EXE PID 740 wrote to memory of 960 740 cmd.exe PING.EXE PID 740 wrote to memory of 960 740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe"C:\Users\Admin\AppData\Local\Temp\193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\193a7c7bf0f7e391a475cb8c140bef03277bf27a42fdfb360d235abfc2134a21.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a0a610f582ffe3f3d255fd54002e3f07
SHA1c50dd1a64a8dd030b4c11f395f4ac47ceecd3fb8
SHA2567a1141e30494ba08fc9f57fdf722a781be11e5eeafe12c7350ba6b0c23c84df2
SHA512d6cbae6688d006c6a1cbd1e39f02cc5c739968946493fbec6f7708eb906edd9f0a983df046b0888e09b48ae28ab2c5b75f155e1bfb1d6fdde222484f88a0d38f
-
MD5
a0a610f582ffe3f3d255fd54002e3f07
SHA1c50dd1a64a8dd030b4c11f395f4ac47ceecd3fb8
SHA2567a1141e30494ba08fc9f57fdf722a781be11e5eeafe12c7350ba6b0c23c84df2
SHA512d6cbae6688d006c6a1cbd1e39f02cc5c739968946493fbec6f7708eb906edd9f0a983df046b0888e09b48ae28ab2c5b75f155e1bfb1d6fdde222484f88a0d38f
-
MD5
a0a610f582ffe3f3d255fd54002e3f07
SHA1c50dd1a64a8dd030b4c11f395f4ac47ceecd3fb8
SHA2567a1141e30494ba08fc9f57fdf722a781be11e5eeafe12c7350ba6b0c23c84df2
SHA512d6cbae6688d006c6a1cbd1e39f02cc5c739968946493fbec6f7708eb906edd9f0a983df046b0888e09b48ae28ab2c5b75f155e1bfb1d6fdde222484f88a0d38f