Analysis
-
max time kernel
139s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:04
Static task
static1
Behavioral task
behavioral1
Sample
18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe
Resource
win10v2004-en-20220112
General
-
Target
18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe
-
Size
36KB
-
MD5
6737a157fdf0c981b8771d40a5921a19
-
SHA1
be0d1ea549d0e4539826a5b63f991c0961223d9a
-
SHA256
18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e
-
SHA512
3c36a757980ad02b4b92bd53fd0b2cab5ffd1743280f9edf0ffecda6eb4b45eed63df3a7bdf5cea27629448c83407aa270a43aeffedb2a2979c1768d3fdc67b8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exepid process 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exedescription pid process Token: SeIncBasePriorityPrivilege 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.execmd.exedescription pid process target process PID 1224 wrote to memory of 1636 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe MediaCenter.exe PID 1224 wrote to memory of 1636 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe MediaCenter.exe PID 1224 wrote to memory of 1636 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe MediaCenter.exe PID 1224 wrote to memory of 1636 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe MediaCenter.exe PID 1224 wrote to memory of 1988 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe cmd.exe PID 1224 wrote to memory of 1988 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe cmd.exe PID 1224 wrote to memory of 1988 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe cmd.exe PID 1224 wrote to memory of 1988 1224 18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe cmd.exe PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe"C:\Users\Admin\AppData\Local\Temp\18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18a89b346084c9109761435798a12c4f16b664c39d2260e662ce1e862a43145e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
379adc48537e17c3eaf45e9a22d213f7
SHA1816562652ae13a49bd293176c5b73d9c67ca8a28
SHA25657868a03721f9a5a7eb8087ea1c9b4c845d3770c1ee680d3b717bcf7158cfe78
SHA5120309dca174a7984e917ea22ef25b0195575382f8b85b72ae2a5c45c95e0b038c8e9d88e53c741ac440dc0ab91101526f03c4510d320ecb6792e49aa71fc24438
-
MD5
379adc48537e17c3eaf45e9a22d213f7
SHA1816562652ae13a49bd293176c5b73d9c67ca8a28
SHA25657868a03721f9a5a7eb8087ea1c9b4c845d3770c1ee680d3b717bcf7158cfe78
SHA5120309dca174a7984e917ea22ef25b0195575382f8b85b72ae2a5c45c95e0b038c8e9d88e53c741ac440dc0ab91101526f03c4510d320ecb6792e49aa71fc24438
-
MD5
379adc48537e17c3eaf45e9a22d213f7
SHA1816562652ae13a49bd293176c5b73d9c67ca8a28
SHA25657868a03721f9a5a7eb8087ea1c9b4c845d3770c1ee680d3b717bcf7158cfe78
SHA5120309dca174a7984e917ea22ef25b0195575382f8b85b72ae2a5c45c95e0b038c8e9d88e53c741ac440dc0ab91101526f03c4510d320ecb6792e49aa71fc24438