Analysis
-
max time kernel
117s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:01
Static task
static1
Behavioral task
behavioral1
Sample
18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe
Resource
win10v2004-en-20220112
General
-
Target
18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe
-
Size
60KB
-
MD5
1a4fc297393677ee9bb8c03c0cbff975
-
SHA1
f91be0225b1cdc45baf135534263cc572658ae8c
-
SHA256
18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63
-
SHA512
a4961df38f1d9854f0988791240616fb1239f37b6d06c087c585fc6a6f9ecf88e1bca808ee032c1192a066b889ff467125ad21221ea489701c971ae9b2582fa4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exepid process 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exedescription pid process Token: SeIncBasePriorityPrivilege 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.execmd.exedescription pid process target process PID 1084 wrote to memory of 744 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe MediaCenter.exe PID 1084 wrote to memory of 828 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe cmd.exe PID 1084 wrote to memory of 828 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe cmd.exe PID 1084 wrote to memory of 828 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe cmd.exe PID 1084 wrote to memory of 828 1084 18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe cmd.exe PID 828 wrote to memory of 1972 828 cmd.exe PING.EXE PID 828 wrote to memory of 1972 828 cmd.exe PING.EXE PID 828 wrote to memory of 1972 828 cmd.exe PING.EXE PID 828 wrote to memory of 1972 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe"C:\Users\Admin\AppData\Local\Temp\18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18c5e6f07b51362a280a3946a8a0b394bca76a95bd3ec2ad8bad2d34e2728e63.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b187dc166c834114a37d0d44dc0ccf6
SHA17e504d5ae905493d62484ce461770065ef1e253a
SHA256d813abcd66df5268a7c16f296a47f61800474df1cebc28d97cf3102b391b5357
SHA512fd5b1c7093415a3afdb15134e42b22493cdd5223c8eee605ec43feca7d7f861623d985341f5df7a21d6660a75b33ceb0e3d97e34eba82cab16a7e2ca112e673b
-
MD5
6b187dc166c834114a37d0d44dc0ccf6
SHA17e504d5ae905493d62484ce461770065ef1e253a
SHA256d813abcd66df5268a7c16f296a47f61800474df1cebc28d97cf3102b391b5357
SHA512fd5b1c7093415a3afdb15134e42b22493cdd5223c8eee605ec43feca7d7f861623d985341f5df7a21d6660a75b33ceb0e3d97e34eba82cab16a7e2ca112e673b
-
MD5
6b187dc166c834114a37d0d44dc0ccf6
SHA17e504d5ae905493d62484ce461770065ef1e253a
SHA256d813abcd66df5268a7c16f296a47f61800474df1cebc28d97cf3102b391b5357
SHA512fd5b1c7093415a3afdb15134e42b22493cdd5223c8eee605ec43feca7d7f861623d985341f5df7a21d6660a75b33ceb0e3d97e34eba82cab16a7e2ca112e673b