Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe
Resource
win10v2004-en-20220112
General
-
Target
1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe
-
Size
58KB
-
MD5
d48709af9cd494cac2467d1661314d4d
-
SHA1
7a510a6cf7ab25d2bb8297fe3bc4dc207386a550
-
SHA256
1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6
-
SHA512
98a472e11f9d74cd67fd851f1747d390bfa2f72bad9bd669a919c4286a22d3a0cfce4f61f1c82c037fc69676d8d80f1c6d8f41a1fb4cc6a0a3ad347cd8b4e169
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1256 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1044 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exepid process 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exedescription pid process Token: SeIncBasePriorityPrivilege 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.execmd.exedescription pid process target process PID 1220 wrote to memory of 1256 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe MediaCenter.exe PID 1220 wrote to memory of 1256 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe MediaCenter.exe PID 1220 wrote to memory of 1256 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe MediaCenter.exe PID 1220 wrote to memory of 1256 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe MediaCenter.exe PID 1220 wrote to memory of 1044 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe cmd.exe PID 1220 wrote to memory of 1044 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe cmd.exe PID 1220 wrote to memory of 1044 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe cmd.exe PID 1220 wrote to memory of 1044 1220 1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe cmd.exe PID 1044 wrote to memory of 676 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 676 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 676 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 676 1044 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe"C:\Users\Admin\AppData\Local\Temp\1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1550189ee9d11160d6622ba599d69e8ecf830c63cafa19f76145046f9ebfb7f6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b7748dd40b68a6bb1534c4ff3e324cc2
SHA166b943ae36bf996ff6687967f8560aef8409e209
SHA256f5e6fb85076074cf1186723f34198a533ba2bbd4983bd784040feaef52ddc49c
SHA512f709b3f04ffcc3e238edba14171d23078e2df7782643994d853d8fbd646e6a833cf45fe74a79476e6cdff16c4fe80eb72959a9eba8fe72bf47708fbc9d9853c4
-
MD5
b7748dd40b68a6bb1534c4ff3e324cc2
SHA166b943ae36bf996ff6687967f8560aef8409e209
SHA256f5e6fb85076074cf1186723f34198a533ba2bbd4983bd784040feaef52ddc49c
SHA512f709b3f04ffcc3e238edba14171d23078e2df7782643994d853d8fbd646e6a833cf45fe74a79476e6cdff16c4fe80eb72959a9eba8fe72bf47708fbc9d9853c4
-
MD5
b7748dd40b68a6bb1534c4ff3e324cc2
SHA166b943ae36bf996ff6687967f8560aef8409e209
SHA256f5e6fb85076074cf1186723f34198a533ba2bbd4983bd784040feaef52ddc49c
SHA512f709b3f04ffcc3e238edba14171d23078e2df7782643994d853d8fbd646e6a833cf45fe74a79476e6cdff16c4fe80eb72959a9eba8fe72bf47708fbc9d9853c4