Analysis
-
max time kernel
125s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe
Resource
win10v2004-en-20220113
General
-
Target
190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe
-
Size
60KB
-
MD5
79b649d69b334b72d00aeef77002209a
-
SHA1
edf31f5499771d9a3fd8b8fc54aececff3ae9716
-
SHA256
190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18
-
SHA512
66845f57240738316449be40746fe85692ddcf1d6b6d3ca10f8d98307928b3d4ee2aae38ea640b18de8aec2e6095b67f2dc1b93711500550b5f1c345a10e6ffa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 852 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 968 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exepid process 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exedescription pid process Token: SeIncBasePriorityPrivilege 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.execmd.exedescription pid process target process PID 1620 wrote to memory of 852 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe MediaCenter.exe PID 1620 wrote to memory of 852 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe MediaCenter.exe PID 1620 wrote to memory of 852 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe MediaCenter.exe PID 1620 wrote to memory of 852 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe MediaCenter.exe PID 1620 wrote to memory of 968 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe cmd.exe PID 1620 wrote to memory of 968 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe cmd.exe PID 1620 wrote to memory of 968 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe cmd.exe PID 1620 wrote to memory of 968 1620 190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe cmd.exe PID 968 wrote to memory of 592 968 cmd.exe PING.EXE PID 968 wrote to memory of 592 968 cmd.exe PING.EXE PID 968 wrote to memory of 592 968 cmd.exe PING.EXE PID 968 wrote to memory of 592 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe"C:\Users\Admin\AppData\Local\Temp\190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\190cb81782e0260af521558fd287eb38d300ead488a8f70f455d4106652e3c18.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9e1e85dbde9099d2b675183bfcf87483
SHA1ec699735bb22d54a92b89dccd553c6a1587e5fcd
SHA25694d761337ee7522a0d38e1d0d4d97777727b66008c4f05347c83b1e248677c20
SHA51279d0c7d5576a35498eb2b434556851f08c97886b3cdea85b5b67c1ce0e3fbabaeb50255c249f7cb9bef97c2b3046f0ffb49409ad630dc67c1997d7c882d910da
-
MD5
9e1e85dbde9099d2b675183bfcf87483
SHA1ec699735bb22d54a92b89dccd553c6a1587e5fcd
SHA25694d761337ee7522a0d38e1d0d4d97777727b66008c4f05347c83b1e248677c20
SHA51279d0c7d5576a35498eb2b434556851f08c97886b3cdea85b5b67c1ce0e3fbabaeb50255c249f7cb9bef97c2b3046f0ffb49409ad630dc67c1997d7c882d910da
-
MD5
9e1e85dbde9099d2b675183bfcf87483
SHA1ec699735bb22d54a92b89dccd553c6a1587e5fcd
SHA25694d761337ee7522a0d38e1d0d4d97777727b66008c4f05347c83b1e248677c20
SHA51279d0c7d5576a35498eb2b434556851f08c97886b3cdea85b5b67c1ce0e3fbabaeb50255c249f7cb9bef97c2b3046f0ffb49409ad630dc67c1997d7c882d910da