Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:53
Static task
static1
Behavioral task
behavioral1
Sample
19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe
Resource
win10v2004-en-20220112
General
-
Target
19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe
-
Size
36KB
-
MD5
17a23add0764bd1d99fd825421ddb0d5
-
SHA1
752003a6c5975a5630bae7ed4d72013a589cac50
-
SHA256
19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1
-
SHA512
d37632051f8a8454faca24490aeb149472267303d2c8f337671ac73a0bc68368ea55c4eb17cc2da8fd5b643f0d54d1ce1a73e6080c987c97964614236634a860
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 984 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exepid process 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exedescription pid process Token: SeIncBasePriorityPrivilege 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.execmd.exedescription pid process target process PID 960 wrote to memory of 268 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe MediaCenter.exe PID 960 wrote to memory of 268 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe MediaCenter.exe PID 960 wrote to memory of 268 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe MediaCenter.exe PID 960 wrote to memory of 268 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe MediaCenter.exe PID 960 wrote to memory of 984 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe cmd.exe PID 960 wrote to memory of 984 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe cmd.exe PID 960 wrote to memory of 984 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe cmd.exe PID 960 wrote to memory of 984 960 19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe cmd.exe PID 984 wrote to memory of 1792 984 cmd.exe PING.EXE PID 984 wrote to memory of 1792 984 cmd.exe PING.EXE PID 984 wrote to memory of 1792 984 cmd.exe PING.EXE PID 984 wrote to memory of 1792 984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe"C:\Users\Admin\AppData\Local\Temp\19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\19353e191531bb53065906d575fe2ce72e9fede1b32cfc814ce35990a5da73b1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
056951341ebf033e0bab131fa2f6791a
SHA181d88097c8c44a214f7e1b6e9899f168dc7ba968
SHA25645e075db04e3b23d22a86ff36a360902c9c51d59f139c8ae1fd2592d46d47496
SHA51211dddfda7fc7a49c161eeca067716c7af37caf513bd04244d949f9dfc2084d530186a0bee0271111f7450cc89fddacf3da638bad1630e90dd443024a515671d6
-
MD5
056951341ebf033e0bab131fa2f6791a
SHA181d88097c8c44a214f7e1b6e9899f168dc7ba968
SHA25645e075db04e3b23d22a86ff36a360902c9c51d59f139c8ae1fd2592d46d47496
SHA51211dddfda7fc7a49c161eeca067716c7af37caf513bd04244d949f9dfc2084d530186a0bee0271111f7450cc89fddacf3da638bad1630e90dd443024a515671d6
-
MD5
056951341ebf033e0bab131fa2f6791a
SHA181d88097c8c44a214f7e1b6e9899f168dc7ba968
SHA25645e075db04e3b23d22a86ff36a360902c9c51d59f139c8ae1fd2592d46d47496
SHA51211dddfda7fc7a49c161eeca067716c7af37caf513bd04244d949f9dfc2084d530186a0bee0271111f7450cc89fddacf3da638bad1630e90dd443024a515671d6