Analysis
-
max time kernel
139s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:56
Static task
static1
Behavioral task
behavioral1
Sample
18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe
Resource
win10v2004-en-20220113
General
-
Target
18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe
-
Size
60KB
-
MD5
7608cfacc53522ecee9c65debd32b930
-
SHA1
c6817bb99e233d826706b4491cc90567dc81f644
-
SHA256
18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e
-
SHA512
2473bf57d0599b6f2bdf53dac7bf1e9c2168d8bc227e5fa807966c23327de07bf78d577e42484013afeed2e823c7f0aafa8f261586bf972243d989667c171268
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exepid process 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exedescription pid process Token: SeIncBasePriorityPrivilege 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.execmd.exedescription pid process target process PID 732 wrote to memory of 1656 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe MediaCenter.exe PID 732 wrote to memory of 1656 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe MediaCenter.exe PID 732 wrote to memory of 1656 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe MediaCenter.exe PID 732 wrote to memory of 1656 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe MediaCenter.exe PID 732 wrote to memory of 1828 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe cmd.exe PID 732 wrote to memory of 1828 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe cmd.exe PID 732 wrote to memory of 1828 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe cmd.exe PID 732 wrote to memory of 1828 732 18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe cmd.exe PID 1828 wrote to memory of 1056 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1056 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1056 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1056 1828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe"C:\Users\Admin\AppData\Local\Temp\18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18f985242f302d7c44251ee80e92cc4375127f7154d2774896cd20efdd63164e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b5d89d63e07be305e13f36c43f91f731
SHA12ea2a6b0753f6a472880b4ecee7cb91a0ae95a57
SHA25626021821a6ea0c8d4b2c40e2574bc0ad2a8e03d14def932993907b944c76d23c
SHA51242708fe51f66a0f4c7d414bac7430c647941252ada09e73b50a8744b12478fe884b2b748839c7b79e683d57a2c463b7804b35930b4e828c722db5b22e309508c
-
MD5
b5d89d63e07be305e13f36c43f91f731
SHA12ea2a6b0753f6a472880b4ecee7cb91a0ae95a57
SHA25626021821a6ea0c8d4b2c40e2574bc0ad2a8e03d14def932993907b944c76d23c
SHA51242708fe51f66a0f4c7d414bac7430c647941252ada09e73b50a8744b12478fe884b2b748839c7b79e683d57a2c463b7804b35930b4e828c722db5b22e309508c
-
MD5
b5d89d63e07be305e13f36c43f91f731
SHA12ea2a6b0753f6a472880b4ecee7cb91a0ae95a57
SHA25626021821a6ea0c8d4b2c40e2574bc0ad2a8e03d14def932993907b944c76d23c
SHA51242708fe51f66a0f4c7d414bac7430c647941252ada09e73b50a8744b12478fe884b2b748839c7b79e683d57a2c463b7804b35930b4e828c722db5b22e309508c