Analysis
-
max time kernel
137s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:53
Static task
static1
Behavioral task
behavioral1
Sample
192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe
Resource
win10v2004-en-20220112
General
-
Target
192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe
-
Size
36KB
-
MD5
1e03520920495fa80a6fa77841f647f8
-
SHA1
a965f481818d3d66dc6fd446b78baf7303caf1c9
-
SHA256
192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892
-
SHA512
8aec43e981a23cb67d3424b05ba2a1aa0bbba7ade7adf64c291c3d67d63dd9c62b9a194c6714137f2bd70cf205d294f0b588a228501d71bd592347c1a83da83f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1204 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 916 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exepid process 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exedescription pid process Token: SeIncBasePriorityPrivilege 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.execmd.exedescription pid process target process PID 1292 wrote to memory of 1204 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe MediaCenter.exe PID 1292 wrote to memory of 1204 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe MediaCenter.exe PID 1292 wrote to memory of 1204 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe MediaCenter.exe PID 1292 wrote to memory of 1204 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe MediaCenter.exe PID 1292 wrote to memory of 916 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe cmd.exe PID 1292 wrote to memory of 916 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe cmd.exe PID 1292 wrote to memory of 916 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe cmd.exe PID 1292 wrote to memory of 916 1292 192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe cmd.exe PID 916 wrote to memory of 872 916 cmd.exe PING.EXE PID 916 wrote to memory of 872 916 cmd.exe PING.EXE PID 916 wrote to memory of 872 916 cmd.exe PING.EXE PID 916 wrote to memory of 872 916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe"C:\Users\Admin\AppData\Local\Temp\192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\192d4760bfa9b2c2ea1963abf190fe5ba27d26ac26db74a79ac87917bf081892.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d5870b202d61ca5c0e77cc95f212f316
SHA16a0edc77070f59c5a593ecfa82b9f04fcdd41e4f
SHA25660cf1dc1802fabd83945e0c1fe24e8de07d9fe9991291047e10c470c34a4045d
SHA512bc85f5d224522874bdd57808027dc01c2d868bac4131b5e72b1e945aaf5c641aef8c79a304adc344822c36fbb08d97c519cf502f85ddb7aa36f689264cb4ee86
-
MD5
d5870b202d61ca5c0e77cc95f212f316
SHA16a0edc77070f59c5a593ecfa82b9f04fcdd41e4f
SHA25660cf1dc1802fabd83945e0c1fe24e8de07d9fe9991291047e10c470c34a4045d
SHA512bc85f5d224522874bdd57808027dc01c2d868bac4131b5e72b1e945aaf5c641aef8c79a304adc344822c36fbb08d97c519cf502f85ddb7aa36f689264cb4ee86
-
MD5
d5870b202d61ca5c0e77cc95f212f316
SHA16a0edc77070f59c5a593ecfa82b9f04fcdd41e4f
SHA25660cf1dc1802fabd83945e0c1fe24e8de07d9fe9991291047e10c470c34a4045d
SHA512bc85f5d224522874bdd57808027dc01c2d868bac4131b5e72b1e945aaf5c641aef8c79a304adc344822c36fbb08d97c519cf502f85ddb7aa36f689264cb4ee86