Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:54
Static task
static1
Behavioral task
behavioral1
Sample
191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe
Resource
win10v2004-en-20220112
General
-
Target
191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe
-
Size
60KB
-
MD5
7d03dd3299c8529b1a7bf2570dc62b7a
-
SHA1
0a330a4a5f0d9949990a7ffebe3ee3c00ed25511
-
SHA256
191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1
-
SHA512
74150921c35e16c0ef16d4ca1ffb44d0bb95b01909dec04a8510f073df249a0f6bf5d5d0cd3b981ed49667b2d8532074bf3ea2542593de01da8e19cb2a424579
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exepid process 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.execmd.exedescription pid process target process PID 1684 wrote to memory of 1888 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe MediaCenter.exe PID 1684 wrote to memory of 1888 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe MediaCenter.exe PID 1684 wrote to memory of 1888 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe MediaCenter.exe PID 1684 wrote to memory of 1888 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe MediaCenter.exe PID 1684 wrote to memory of 812 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe cmd.exe PID 1684 wrote to memory of 812 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe cmd.exe PID 1684 wrote to memory of 812 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe cmd.exe PID 1684 wrote to memory of 812 1684 191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe cmd.exe PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe"C:\Users\Admin\AppData\Local\Temp\191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\191f8eba88e39c1d50380fa9e21209842e229731b78ba66e5aec29f8499e56e1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c6ade0e58c7f555b0d671a836247e1c9
SHA1f53835a4ed629ab2a984f4fe3f628b888f4ae7e2
SHA256a9c57e62422d76154d1498c117358303064c7c1b6b18d299226992fecccf4e17
SHA5124159c3da0b5701ad8b8afcc8f5923b5217cc4c173a7311eaa834e1ea961a7c8672c40619a4e21c5f41505d90d0828d4d34c49597b2f11801d4405afff094056b
-
MD5
c6ade0e58c7f555b0d671a836247e1c9
SHA1f53835a4ed629ab2a984f4fe3f628b888f4ae7e2
SHA256a9c57e62422d76154d1498c117358303064c7c1b6b18d299226992fecccf4e17
SHA5124159c3da0b5701ad8b8afcc8f5923b5217cc4c173a7311eaa834e1ea961a7c8672c40619a4e21c5f41505d90d0828d4d34c49597b2f11801d4405afff094056b
-
MD5
c6ade0e58c7f555b0d671a836247e1c9
SHA1f53835a4ed629ab2a984f4fe3f628b888f4ae7e2
SHA256a9c57e62422d76154d1498c117358303064c7c1b6b18d299226992fecccf4e17
SHA5124159c3da0b5701ad8b8afcc8f5923b5217cc4c173a7311eaa834e1ea961a7c8672c40619a4e21c5f41505d90d0828d4d34c49597b2f11801d4405afff094056b