Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe
Resource
win10v2004-en-20220113
General
-
Target
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe
-
Size
58KB
-
MD5
a5a43634382a66b893f78d913adf3ffe
-
SHA1
7ace171a82f063c42dac67ce170fc366a1bfd9e8
-
SHA256
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316
-
SHA512
0a555ed95f236fcf5d404731d6a817cc5df73aed54f6985e79ee577a218d5808f767667c76ff024b7b42863aa847a13bca1ffbd801df452829049610341a8747
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1244 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exepid process 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exedescription pid process Token: SeIncBasePriorityPrivilege 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.execmd.exedescription pid process target process PID 856 wrote to memory of 1212 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe MediaCenter.exe PID 856 wrote to memory of 1244 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe cmd.exe PID 856 wrote to memory of 1244 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe cmd.exe PID 856 wrote to memory of 1244 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe cmd.exe PID 856 wrote to memory of 1244 856 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe cmd.exe PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe"C:\Users\Admin\AppData\Local\Temp\191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
90c30123ad31d66d8f56d13e93531245
SHA10180a29d723b040d31539d73337e4a764da9d83f
SHA2562419e2912da375b23d00dd89028c88469bcef13dc641c5a0bc5c2c5b1a6a729b
SHA5129554e94c563f689e7ac490af1f8ae5699eadda3efaf73159505290d6ead5b08eec49774bb01e3cddbb1e0d13928e579904f4d39f7b319bb573e6c0533586e1cb
-
MD5
90c30123ad31d66d8f56d13e93531245
SHA10180a29d723b040d31539d73337e4a764da9d83f
SHA2562419e2912da375b23d00dd89028c88469bcef13dc641c5a0bc5c2c5b1a6a729b
SHA5129554e94c563f689e7ac490af1f8ae5699eadda3efaf73159505290d6ead5b08eec49774bb01e3cddbb1e0d13928e579904f4d39f7b319bb573e6c0533586e1cb
-
MD5
90c30123ad31d66d8f56d13e93531245
SHA10180a29d723b040d31539d73337e4a764da9d83f
SHA2562419e2912da375b23d00dd89028c88469bcef13dc641c5a0bc5c2c5b1a6a729b
SHA5129554e94c563f689e7ac490af1f8ae5699eadda3efaf73159505290d6ead5b08eec49774bb01e3cddbb1e0d13928e579904f4d39f7b319bb573e6c0533586e1cb