Analysis
-
max time kernel
119s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe
Resource
win10v2004-en-20220113
General
-
Target
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe
-
Size
58KB
-
MD5
d5f847c413c5e12be6f37fabb2cd4f24
-
SHA1
39ac3babb1e4e7575644f4b89b2bb8f83b42995d
-
SHA256
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5
-
SHA512
a2d8463f49bd3d94c9b9de1b6ec2f5d4a2e58f7db50c4e3051222e5b08b2786be4c8a0a8b2644bcbd5730a4d161a45cd6890b45b16ccec7e736cc1442229420e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1832 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exepid process 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.execmd.exedescription pid process target process PID 1668 wrote to memory of 652 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe MediaCenter.exe PID 1668 wrote to memory of 1832 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe cmd.exe PID 1668 wrote to memory of 1832 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe cmd.exe PID 1668 wrote to memory of 1832 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe cmd.exe PID 1668 wrote to memory of 1832 1668 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe cmd.exe PID 1832 wrote to memory of 1756 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1756 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1756 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1756 1832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe"C:\Users\Admin\AppData\Local\Temp\18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8f343bbbaa5221425b10ebf2a45ace7f
SHA1f2a0b6410b9535ab698dcbc66dab65e090fe57c3
SHA256f51ae7a04ffa0f86a5649ce4e9df3c4cad73f2a88f70e917825ace20f78cc75a
SHA512188871672451c27f581c66775429fc4fff1af20e779c8fadee972ae680dc417f351a83cc7576722e3422034e833514afc2a0013018125ae2584fe6b5ffec87f3
-
MD5
8f343bbbaa5221425b10ebf2a45ace7f
SHA1f2a0b6410b9535ab698dcbc66dab65e090fe57c3
SHA256f51ae7a04ffa0f86a5649ce4e9df3c4cad73f2a88f70e917825ace20f78cc75a
SHA512188871672451c27f581c66775429fc4fff1af20e779c8fadee972ae680dc417f351a83cc7576722e3422034e833514afc2a0013018125ae2584fe6b5ffec87f3
-
MD5
8f343bbbaa5221425b10ebf2a45ace7f
SHA1f2a0b6410b9535ab698dcbc66dab65e090fe57c3
SHA256f51ae7a04ffa0f86a5649ce4e9df3c4cad73f2a88f70e917825ace20f78cc75a
SHA512188871672451c27f581c66775429fc4fff1af20e779c8fadee972ae680dc417f351a83cc7576722e3422034e833514afc2a0013018125ae2584fe6b5ffec87f3