Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:12
Static task
static1
Behavioral task
behavioral1
Sample
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe
Resource
win10v2004-en-20220113
General
-
Target
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe
-
Size
60KB
-
MD5
48e8723f537bcc52cd6a3e6a122551b2
-
SHA1
19da584170b3b811785cf75455e7fddfc10bb0ef
-
SHA256
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e
-
SHA512
62821e1698cd77741ab379686d6eb50b5663adeed5583869d078242e577d3e58217cb5d9fa28972e8550efda56332bd2b0b98901d0a5696a5cb3ae2fb1e42653
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 876 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1000 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exepid process 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exedescription pid process Token: SeIncBasePriorityPrivilege 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.execmd.exedescription pid process target process PID 1516 wrote to memory of 876 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe MediaCenter.exe PID 1516 wrote to memory of 1000 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe cmd.exe PID 1516 wrote to memory of 1000 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe cmd.exe PID 1516 wrote to memory of 1000 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe cmd.exe PID 1516 wrote to memory of 1000 1516 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe cmd.exe PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe"C:\Users\Admin\AppData\Local\Temp\185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f8491d035d2bb74759aae78dac422fb5
SHA12a772d01a65c73e1a3e76ff846b3ab5d2ec267df
SHA256fe60ffe98f23b3823738bd70a4ce6bd396e5a757a763bec1618016dc0af33449
SHA512b7b8df405f7a4d2b6c2531401cf0affa984eea4e13d324428ed128e1c8730b58848964a3c156c5ae50a574e39b628cd5465fb2362e601bcdbe9cdd893bb9a605
-
MD5
f8491d035d2bb74759aae78dac422fb5
SHA12a772d01a65c73e1a3e76ff846b3ab5d2ec267df
SHA256fe60ffe98f23b3823738bd70a4ce6bd396e5a757a763bec1618016dc0af33449
SHA512b7b8df405f7a4d2b6c2531401cf0affa984eea4e13d324428ed128e1c8730b58848964a3c156c5ae50a574e39b628cd5465fb2362e601bcdbe9cdd893bb9a605
-
MD5
f8491d035d2bb74759aae78dac422fb5
SHA12a772d01a65c73e1a3e76ff846b3ab5d2ec267df
SHA256fe60ffe98f23b3823738bd70a4ce6bd396e5a757a763bec1618016dc0af33449
SHA512b7b8df405f7a4d2b6c2531401cf0affa984eea4e13d324428ed128e1c8730b58848964a3c156c5ae50a574e39b628cd5465fb2362e601bcdbe9cdd893bb9a605