Analysis
-
max time kernel
138s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:57
Static task
static1
Behavioral task
behavioral1
Sample
18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe
Resource
win10v2004-en-20220112
General
-
Target
18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe
-
Size
36KB
-
MD5
1c1817ade934a17c9b8f20f2f8faa43d
-
SHA1
cb38783dcd7a516f32e0e1306a0c27e0b7a297a2
-
SHA256
18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4
-
SHA512
4aa77cfe3d511aa1f6aecd480d541156dc0b74a2165e9ba3490a0043806f4fad5febb28396e4130a44b967b0921f8507003de6190292da75c74b231c4f1d5b9a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 956 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exepid process 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exedescription pid process Token: SeIncBasePriorityPrivilege 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.execmd.exedescription pid process target process PID 1884 wrote to memory of 956 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe MediaCenter.exe PID 1884 wrote to memory of 1996 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe cmd.exe PID 1884 wrote to memory of 1996 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe cmd.exe PID 1884 wrote to memory of 1996 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe cmd.exe PID 1884 wrote to memory of 1996 1884 18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe cmd.exe PID 1996 wrote to memory of 1176 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1176 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1176 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1176 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe"C:\Users\Admin\AppData\Local\Temp\18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18f5f4be0cbdab767ceb8fc8be7067b77fdb44d7cedcef6b0fefeb3aacf7b9a4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1d2090bcf0bfe9da57e7d43623cb17ac
SHA13ad4c5222f4a5db1e02ca86074b7da73d48ae300
SHA256fe36d0592c64030d2afd19f4fd35cbc84724eac6eac522580eba45db31241426
SHA5122c549215cfb98e7972392cd96915a5e4cbcf2a3d7d165feeed8189ae6c3fbbc1196e3b1b4f86e0e64a9b453bbce0d719ec5f23fd0dd01c84c414eecad5b43e8d
-
MD5
1d2090bcf0bfe9da57e7d43623cb17ac
SHA13ad4c5222f4a5db1e02ca86074b7da73d48ae300
SHA256fe36d0592c64030d2afd19f4fd35cbc84724eac6eac522580eba45db31241426
SHA5122c549215cfb98e7972392cd96915a5e4cbcf2a3d7d165feeed8189ae6c3fbbc1196e3b1b4f86e0e64a9b453bbce0d719ec5f23fd0dd01c84c414eecad5b43e8d
-
MD5
1d2090bcf0bfe9da57e7d43623cb17ac
SHA13ad4c5222f4a5db1e02ca86074b7da73d48ae300
SHA256fe36d0592c64030d2afd19f4fd35cbc84724eac6eac522580eba45db31241426
SHA5122c549215cfb98e7972392cd96915a5e4cbcf2a3d7d165feeed8189ae6c3fbbc1196e3b1b4f86e0e64a9b453bbce0d719ec5f23fd0dd01c84c414eecad5b43e8d