Analysis
-
max time kernel
131s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe
Resource
win10v2004-en-20220113
General
-
Target
18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe
-
Size
58KB
-
MD5
a03d4358fbde9f132cfb8306f825cfc2
-
SHA1
3fd663d77105ee467fa5766f26baf3d4b85003d3
-
SHA256
18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e
-
SHA512
d076802abcb6b898ef86c060f5cfaec7c04880f0c66d67e136ba85e76966910328692a6a314b63a856426140a26db48a81a447806aef87e7126fc015bd63c899
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1964 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exepid process 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exedescription pid process Token: SeIncBasePriorityPrivilege 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.execmd.exedescription pid process target process PID 1652 wrote to memory of 1620 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe MediaCenter.exe PID 1652 wrote to memory of 1964 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe cmd.exe PID 1652 wrote to memory of 1964 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe cmd.exe PID 1652 wrote to memory of 1964 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe cmd.exe PID 1652 wrote to memory of 1964 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe cmd.exe PID 1964 wrote to memory of 872 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 872 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 872 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 872 1964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe"C:\Users\Admin\AppData\Local\Temp\18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3c53ca9fe4b8806a4c6fa78e61efea2d
SHA11049495820588fc03828a93a29895c728bc10c33
SHA256bab01480d297d527c19d5cb581987ebc0222fe5a6ab21dc3b490a386c9b1da08
SHA512677a1777f4b862bb480fd814732b717e0d93ff9d36aca4f2f79b29a0eb02ef8b92ffc9891d1c1fb02bec1434d92f96b1e54bdbb5f6698ef2032a058f4dd1aa7e
-
MD5
3c53ca9fe4b8806a4c6fa78e61efea2d
SHA11049495820588fc03828a93a29895c728bc10c33
SHA256bab01480d297d527c19d5cb581987ebc0222fe5a6ab21dc3b490a386c9b1da08
SHA512677a1777f4b862bb480fd814732b717e0d93ff9d36aca4f2f79b29a0eb02ef8b92ffc9891d1c1fb02bec1434d92f96b1e54bdbb5f6698ef2032a058f4dd1aa7e
-
MD5
3c53ca9fe4b8806a4c6fa78e61efea2d
SHA11049495820588fc03828a93a29895c728bc10c33
SHA256bab01480d297d527c19d5cb581987ebc0222fe5a6ab21dc3b490a386c9b1da08
SHA512677a1777f4b862bb480fd814732b717e0d93ff9d36aca4f2f79b29a0eb02ef8b92ffc9891d1c1fb02bec1434d92f96b1e54bdbb5f6698ef2032a058f4dd1aa7e