Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:27
Static task
static1
Behavioral task
behavioral1
Sample
154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe
Resource
win10v2004-en-20220113
General
-
Target
154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe
-
Size
36KB
-
MD5
be9e756ed7a7df11f1341593e2a1b8c9
-
SHA1
d23a32bdbb3f6846c47f82b6184f357d1fb4522a
-
SHA256
154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388
-
SHA512
d09d3e079ff6b16144506ccb7a2c5af2db6c547566a2981d58064c32add265b475afb9f52620d50a11f471b8554e070ce62a343c91de159ff7404f3cd778c4c4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exepid process 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exedescription pid process Token: SeIncBasePriorityPrivilege 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.execmd.exedescription pid process target process PID 1740 wrote to memory of 1608 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe MediaCenter.exe PID 1740 wrote to memory of 1976 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe cmd.exe PID 1740 wrote to memory of 1976 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe cmd.exe PID 1740 wrote to memory of 1976 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe cmd.exe PID 1740 wrote to memory of 1976 1740 154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe cmd.exe PID 1976 wrote to memory of 1840 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1840 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1840 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1840 1976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe"C:\Users\Admin\AppData\Local\Temp\154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\154558a6f8dafb24fed2f092e6db292a582b064f759f55ab57bd390d187bc388.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
412cdca577b0cb896e3f007dc59e7254
SHA14d11f0d6a2492cecf02acce556cf2ba0c8cad033
SHA256a22cec602b60d9078eed8bf8e44a3a05f7349969dcc1bcc0f6ebf616be1455ef
SHA5123edee9c0043f9e8d14550d16c4ad217745717ad26c1cefca6b3d45ad580c50f7cfdc4294cac7e6b63db4c90310c163b5f280a5193e85abc46bf75010c7d9cb15
-
MD5
412cdca577b0cb896e3f007dc59e7254
SHA14d11f0d6a2492cecf02acce556cf2ba0c8cad033
SHA256a22cec602b60d9078eed8bf8e44a3a05f7349969dcc1bcc0f6ebf616be1455ef
SHA5123edee9c0043f9e8d14550d16c4ad217745717ad26c1cefca6b3d45ad580c50f7cfdc4294cac7e6b63db4c90310c163b5f280a5193e85abc46bf75010c7d9cb15
-
MD5
412cdca577b0cb896e3f007dc59e7254
SHA14d11f0d6a2492cecf02acce556cf2ba0c8cad033
SHA256a22cec602b60d9078eed8bf8e44a3a05f7349969dcc1bcc0f6ebf616be1455ef
SHA5123edee9c0043f9e8d14550d16c4ad217745717ad26c1cefca6b3d45ad580c50f7cfdc4294cac7e6b63db4c90310c163b5f280a5193e85abc46bf75010c7d9cb15