Analysis
-
max time kernel
144s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:06
Static task
static1
Behavioral task
behavioral1
Sample
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe
Resource
win10v2004-en-20220112
General
-
Target
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe
-
Size
35KB
-
MD5
7062ce05a6f47a1782683533f4609dc5
-
SHA1
25fcf52f4af9e37baf4c7d5d5cba817a9bf8b3fd
-
SHA256
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb
-
SHA512
d15fe5fc98ab9bb9730c116f06eb1da3e22d227b8bcfef241d21fb6c27ac80ce0a8c6f5fe35a92e24c0945d0521bb39f1bb9823ed02fd64bbebee46ff0822be3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2020 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exepid process 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exedescription pid process Token: SeIncBasePriorityPrivilege 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.execmd.exedescription pid process target process PID 972 wrote to memory of 528 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe MediaCenter.exe PID 972 wrote to memory of 528 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe MediaCenter.exe PID 972 wrote to memory of 528 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe MediaCenter.exe PID 972 wrote to memory of 528 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe MediaCenter.exe PID 972 wrote to memory of 2020 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe cmd.exe PID 972 wrote to memory of 2020 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe cmd.exe PID 972 wrote to memory of 2020 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe cmd.exe PID 972 wrote to memory of 2020 972 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe cmd.exe PID 2020 wrote to memory of 1712 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1712 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1712 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1712 2020 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe"C:\Users\Admin\AppData\Local\Temp\188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2041b2e6be3b0ae82162ca1c833d1895
SHA16722884a17276d841f5d66ef927d9555849e1d7c
SHA256e2ba057f1ecf62bf33379c0a5414995e2126c69045690f2f0b5ae0dc9c6f6383
SHA5122cce4b7fb5d59c85a8e293226b97b32fbcfb494282b469e106a246abad79bfd4c77e4c10bbef200942ad1eaebb483f0c1b33599f6b8af7c469a3c07fe78670d4
-
MD5
2041b2e6be3b0ae82162ca1c833d1895
SHA16722884a17276d841f5d66ef927d9555849e1d7c
SHA256e2ba057f1ecf62bf33379c0a5414995e2126c69045690f2f0b5ae0dc9c6f6383
SHA5122cce4b7fb5d59c85a8e293226b97b32fbcfb494282b469e106a246abad79bfd4c77e4c10bbef200942ad1eaebb483f0c1b33599f6b8af7c469a3c07fe78670d4
-
MD5
2041b2e6be3b0ae82162ca1c833d1895
SHA16722884a17276d841f5d66ef927d9555849e1d7c
SHA256e2ba057f1ecf62bf33379c0a5414995e2126c69045690f2f0b5ae0dc9c6f6383
SHA5122cce4b7fb5d59c85a8e293226b97b32fbcfb494282b469e106a246abad79bfd4c77e4c10bbef200942ad1eaebb483f0c1b33599f6b8af7c469a3c07fe78670d4