Analysis
-
max time kernel
149s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:56
Static task
static1
Behavioral task
behavioral1
Sample
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe
Resource
win10v2004-en-20220113
General
-
Target
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe
-
Size
58KB
-
MD5
7f4ae3be759d7059e79cf6252d1ba703
-
SHA1
0b5274cb03dc0bc6342c7ee47345652f04625565
-
SHA256
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152
-
SHA512
0cf56f2651ecb93af1119efeb6219308f746870b8a0be203fadfefc3f73a55ea5d11442888eb298c86e65d1ffb0987535118754a5c2433e6aac23c0ff260932d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 620 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exepid process 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.execmd.exedescription pid process target process PID 1704 wrote to memory of 944 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe MediaCenter.exe PID 1704 wrote to memory of 620 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe cmd.exe PID 1704 wrote to memory of 620 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe cmd.exe PID 1704 wrote to memory of 620 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe cmd.exe PID 1704 wrote to memory of 620 1704 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe cmd.exe PID 620 wrote to memory of 1872 620 cmd.exe PING.EXE PID 620 wrote to memory of 1872 620 cmd.exe PING.EXE PID 620 wrote to memory of 1872 620 cmd.exe PING.EXE PID 620 wrote to memory of 1872 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe"C:\Users\Admin\AppData\Local\Temp\18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b2b12a46d3f483cdf09ab2ea31b974ab
SHA1b9e6c4286d43946a8a52cead8422bfaaf5fd63c9
SHA25678576bdd3f64a7e8cae966240063a0692a3c42deb2adce129b51886d75b6202b
SHA5121be6f0d711fdbf35d72eed0171f5bc7b7d8405a9e35cd03b6374246e124f626ec210dfa58bd3c0957606f0bbc37e357c439cf6a4a1e0db79f49225f611101da3
-
MD5
b2b12a46d3f483cdf09ab2ea31b974ab
SHA1b9e6c4286d43946a8a52cead8422bfaaf5fd63c9
SHA25678576bdd3f64a7e8cae966240063a0692a3c42deb2adce129b51886d75b6202b
SHA5121be6f0d711fdbf35d72eed0171f5bc7b7d8405a9e35cd03b6374246e124f626ec210dfa58bd3c0957606f0bbc37e357c439cf6a4a1e0db79f49225f611101da3
-
MD5
b2b12a46d3f483cdf09ab2ea31b974ab
SHA1b9e6c4286d43946a8a52cead8422bfaaf5fd63c9
SHA25678576bdd3f64a7e8cae966240063a0692a3c42deb2adce129b51886d75b6202b
SHA5121be6f0d711fdbf35d72eed0171f5bc7b7d8405a9e35cd03b6374246e124f626ec210dfa58bd3c0957606f0bbc37e357c439cf6a4a1e0db79f49225f611101da3