Analysis
-
max time kernel
122s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe
Resource
win10v2004-en-20220113
General
-
Target
18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe
-
Size
60KB
-
MD5
51c44104246be550cb8cb81bebc5d2ed
-
SHA1
195af38389ff5ea9a2de83b85ba22116a8799190
-
SHA256
18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e
-
SHA512
8886463cc81a47ddc879ac23e748344460c029b8802b58a5bf7f64cc2dac7f6935c43e281e3592b1beb83e57f1244cfca30b543ee3fde6ba06adb72b79ae0b41
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1232 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exepid process 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.execmd.exedescription pid process target process PID 1204 wrote to memory of 1720 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe MediaCenter.exe PID 1204 wrote to memory of 1232 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe cmd.exe PID 1204 wrote to memory of 1232 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe cmd.exe PID 1204 wrote to memory of 1232 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe cmd.exe PID 1204 wrote to memory of 1232 1204 18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe cmd.exe PID 1232 wrote to memory of 1428 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 1428 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 1428 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 1428 1232 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe"C:\Users\Admin\AppData\Local\Temp\18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18127cb49436fa78f5195358e80dbfe6ff09171dbd19bdfbebb85fc565cce48e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c59f4089a67db7d635e45a5d58649e8c
SHA13fc8562caa3f2147e2c0809738d3ccdad380d050
SHA256dac1fb9982e682f551a7af6359f8c69d4dab092fbfdd5e55aba2530a45f7b82a
SHA512bf01ac604a4f469b823b6ec0fd08fa460a1987054779804f8c43c1944d938562f44015dfe5052de685502a65398355dec892cbe26d78bfcdf1634661bfc59763
-
MD5
c59f4089a67db7d635e45a5d58649e8c
SHA13fc8562caa3f2147e2c0809738d3ccdad380d050
SHA256dac1fb9982e682f551a7af6359f8c69d4dab092fbfdd5e55aba2530a45f7b82a
SHA512bf01ac604a4f469b823b6ec0fd08fa460a1987054779804f8c43c1944d938562f44015dfe5052de685502a65398355dec892cbe26d78bfcdf1634661bfc59763
-
MD5
c59f4089a67db7d635e45a5d58649e8c
SHA13fc8562caa3f2147e2c0809738d3ccdad380d050
SHA256dac1fb9982e682f551a7af6359f8c69d4dab092fbfdd5e55aba2530a45f7b82a
SHA512bf01ac604a4f469b823b6ec0fd08fa460a1987054779804f8c43c1944d938562f44015dfe5052de685502a65398355dec892cbe26d78bfcdf1634661bfc59763