Analysis
-
max time kernel
119s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe
Resource
win10v2004-en-20220112
General
-
Target
190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe
-
Size
36KB
-
MD5
fda028804ee89f5ada1bd4cb33d242c6
-
SHA1
dc04f95be741ce51e16523fe0733426871f53279
-
SHA256
190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1
-
SHA512
6a2fb247164c81a0ecc1cefab03ff88f8054039b354b7cfdb95fdd60861655f73c3081394280da29d66e7101ebfeb942b4d45dab1b8e88583d17a96a85f3e312
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 784 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exepid process 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exedescription pid process Token: SeIncBasePriorityPrivilege 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.execmd.exedescription pid process target process PID 1188 wrote to memory of 1656 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe MediaCenter.exe PID 1188 wrote to memory of 1656 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe MediaCenter.exe PID 1188 wrote to memory of 1656 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe MediaCenter.exe PID 1188 wrote to memory of 1656 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe MediaCenter.exe PID 1188 wrote to memory of 784 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe cmd.exe PID 1188 wrote to memory of 784 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe cmd.exe PID 1188 wrote to memory of 784 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe cmd.exe PID 1188 wrote to memory of 784 1188 190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe cmd.exe PID 784 wrote to memory of 1956 784 cmd.exe PING.EXE PID 784 wrote to memory of 1956 784 cmd.exe PING.EXE PID 784 wrote to memory of 1956 784 cmd.exe PING.EXE PID 784 wrote to memory of 1956 784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe"C:\Users\Admin\AppData\Local\Temp\190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\190b0ee88e4f242de9bb1702809a17954a7b2195c4c8157e169acbd7ab32eab1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
11bf2c10b02347d4080cc7f3f8b506c2
SHA1e59b400de2998ecdc84ca0f365a166d2c9292e2b
SHA256f02d9628525205dd3fb11158f411b2e4f88e22bc549263628b8f658e391346bc
SHA5129debf7a8dba1d523403d95307ab727f05ec05c5d6a344a3c4c4e0c87e2bcd0ce61e681ca173acd0cb410a581053305f4cce1e9a5da8139de5465736303f0d092
-
MD5
11bf2c10b02347d4080cc7f3f8b506c2
SHA1e59b400de2998ecdc84ca0f365a166d2c9292e2b
SHA256f02d9628525205dd3fb11158f411b2e4f88e22bc549263628b8f658e391346bc
SHA5129debf7a8dba1d523403d95307ab727f05ec05c5d6a344a3c4c4e0c87e2bcd0ce61e681ca173acd0cb410a581053305f4cce1e9a5da8139de5465736303f0d092
-
MD5
11bf2c10b02347d4080cc7f3f8b506c2
SHA1e59b400de2998ecdc84ca0f365a166d2c9292e2b
SHA256f02d9628525205dd3fb11158f411b2e4f88e22bc549263628b8f658e391346bc
SHA5129debf7a8dba1d523403d95307ab727f05ec05c5d6a344a3c4c4e0c87e2bcd0ce61e681ca173acd0cb410a581053305f4cce1e9a5da8139de5465736303f0d092