Analysis
-
max time kernel
136s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:54
Static task
static1
Behavioral task
behavioral1
Sample
191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe
Resource
win10v2004-en-20220113
General
-
Target
191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe
-
Size
58KB
-
MD5
5cb1aa87712fa20d28e99f6b8c507a9e
-
SHA1
e88a13b56937004e74e267af62e72281fe597e2e
-
SHA256
191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca
-
SHA512
63e480b29f82984ba4b186b257c0fd9e5f31fe9ea54a3231821f6946f96477d5c894dd0e167db271f4f95247e9a32123b130417279cac5d060ce1fbc1abe3470
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 284 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exepid process 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exedescription pid process Token: SeIncBasePriorityPrivilege 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.execmd.exedescription pid process target process PID 1552 wrote to memory of 1528 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe MediaCenter.exe PID 1552 wrote to memory of 284 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe cmd.exe PID 1552 wrote to memory of 284 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe cmd.exe PID 1552 wrote to memory of 284 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe cmd.exe PID 1552 wrote to memory of 284 1552 191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe cmd.exe PID 284 wrote to memory of 1052 284 cmd.exe PING.EXE PID 284 wrote to memory of 1052 284 cmd.exe PING.EXE PID 284 wrote to memory of 1052 284 cmd.exe PING.EXE PID 284 wrote to memory of 1052 284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe"C:\Users\Admin\AppData\Local\Temp\191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\191fc164d9dc6744570e08d2608480e79ad0ec790a1817bfcca1c917cc26e7ca.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cb0072cba11787cbb88b595ff34001ba
SHA18e23023e40e3d86077a2792fca09828cc3fb3ba1
SHA256754c64e371fb1235009d801b9487a09efcdaec15fc95016eebb7852a79825b4d
SHA51260035eb0aef825f59bee9efc46d973d51268edfb9bebd3387c0578a37135b853942b9b6441381dee4b025d121d25441125c0c39fd7b99139a8396b1af59dee0f
-
MD5
cb0072cba11787cbb88b595ff34001ba
SHA18e23023e40e3d86077a2792fca09828cc3fb3ba1
SHA256754c64e371fb1235009d801b9487a09efcdaec15fc95016eebb7852a79825b4d
SHA51260035eb0aef825f59bee9efc46d973d51268edfb9bebd3387c0578a37135b853942b9b6441381dee4b025d121d25441125c0c39fd7b99139a8396b1af59dee0f
-
MD5
cb0072cba11787cbb88b595ff34001ba
SHA18e23023e40e3d86077a2792fca09828cc3fb3ba1
SHA256754c64e371fb1235009d801b9487a09efcdaec15fc95016eebb7852a79825b4d
SHA51260035eb0aef825f59bee9efc46d973d51268edfb9bebd3387c0578a37135b853942b9b6441381dee4b025d121d25441125c0c39fd7b99139a8396b1af59dee0f