Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe
Resource
win10v2004-en-20220113
General
-
Target
18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe
-
Size
36KB
-
MD5
65561ffd1f189858693a92502e5e8c29
-
SHA1
727fb5ea996aa46a5c1923dc254c4540d6b3d008
-
SHA256
18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110
-
SHA512
3ac8602fa87ad2ae01c91a3d2f4f153df7c33051a469f8690465885cf545c463535a9dd1e53741c844373981504571514c4b4087916ce1ee56d7e44c4385d392
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1876 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exepid process 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.execmd.exedescription pid process target process PID 1704 wrote to memory of 1876 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe MediaCenter.exe PID 1704 wrote to memory of 1876 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe MediaCenter.exe PID 1704 wrote to memory of 1876 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe MediaCenter.exe PID 1704 wrote to memory of 1876 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe MediaCenter.exe PID 1704 wrote to memory of 432 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe cmd.exe PID 1704 wrote to memory of 432 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe cmd.exe PID 1704 wrote to memory of 432 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe cmd.exe PID 1704 wrote to memory of 432 1704 18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe cmd.exe PID 432 wrote to memory of 1924 432 cmd.exe PING.EXE PID 432 wrote to memory of 1924 432 cmd.exe PING.EXE PID 432 wrote to memory of 1924 432 cmd.exe PING.EXE PID 432 wrote to memory of 1924 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe"C:\Users\Admin\AppData\Local\Temp\18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18e1d90ca12f205dd4c4ec264ce3aa4e2f347573787181497995933c90c91110.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ab29c4bc694a84de6d848072a2c87d05
SHA14a89d1fa72070bd038087ff071a76e345b7e2f4f
SHA256ae7b0bae3799dbf6b61476e2922b314dbc5b1ac9773bc890e3e66706df52ec56
SHA51243eca0ff318e6befd8b7ee90a1cd1bb84af6e566122ea4d2c0c3f0e6adacd30dcb7839d272a68dcb0e64ebcd48a1ffd274bd6678244726e1111864c34e64367f
-
MD5
ab29c4bc694a84de6d848072a2c87d05
SHA14a89d1fa72070bd038087ff071a76e345b7e2f4f
SHA256ae7b0bae3799dbf6b61476e2922b314dbc5b1ac9773bc890e3e66706df52ec56
SHA51243eca0ff318e6befd8b7ee90a1cd1bb84af6e566122ea4d2c0c3f0e6adacd30dcb7839d272a68dcb0e64ebcd48a1ffd274bd6678244726e1111864c34e64367f
-
MD5
ab29c4bc694a84de6d848072a2c87d05
SHA14a89d1fa72070bd038087ff071a76e345b7e2f4f
SHA256ae7b0bae3799dbf6b61476e2922b314dbc5b1ac9773bc890e3e66706df52ec56
SHA51243eca0ff318e6befd8b7ee90a1cd1bb84af6e566122ea4d2c0c3f0e6adacd30dcb7839d272a68dcb0e64ebcd48a1ffd274bd6678244726e1111864c34e64367f