Analysis
-
max time kernel
150s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe
Resource
win10v2004-en-20220112
General
-
Target
1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe
-
Size
58KB
-
MD5
20acd6673e8e4d933ba8d1718b9c28a8
-
SHA1
d8b031c11ffc858e801f03d52aad7c7808f2b653
-
SHA256
1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c
-
SHA512
7f473a6923fc1ec48f216a3236d169b62f9c147c352bacbe712b78040edfb71bfebd1be3c26d5889a53a5a2d010fe85c8a5d623b30e2f74ffb91f2904934546e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exepid process 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exedescription pid process Token: SeIncBasePriorityPrivilege 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.execmd.exedescription pid process target process PID 1740 wrote to memory of 1608 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe MediaCenter.exe PID 1740 wrote to memory of 812 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe cmd.exe PID 1740 wrote to memory of 812 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe cmd.exe PID 1740 wrote to memory of 812 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe cmd.exe PID 1740 wrote to memory of 812 1740 1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe cmd.exe PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe"C:\Users\Admin\AppData\Local\Temp\1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1527964a39cd45c4c78f60a83bb015c7d0e9484518731b53a03fbd18ea94102c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e2a11abb848207edacc7a05506fb2342
SHA1b81186e8a325828371dbfe3d339e6dac2453175e
SHA256436fb5b766b83bcea9c6af934d94e3c1c1e2a498395a00a8b4ef8bfab361c1b4
SHA512c2f5779965531df0a1f9e3b380a1b3ef3297cb79fb3ef399ab394fce49745a0672b7f2d83638cc5233d13b8fd21a7406e2d70fad5a1e44a2afe546bb63f38c51
-
MD5
e2a11abb848207edacc7a05506fb2342
SHA1b81186e8a325828371dbfe3d339e6dac2453175e
SHA256436fb5b766b83bcea9c6af934d94e3c1c1e2a498395a00a8b4ef8bfab361c1b4
SHA512c2f5779965531df0a1f9e3b380a1b3ef3297cb79fb3ef399ab394fce49745a0672b7f2d83638cc5233d13b8fd21a7406e2d70fad5a1e44a2afe546bb63f38c51
-
MD5
e2a11abb848207edacc7a05506fb2342
SHA1b81186e8a325828371dbfe3d339e6dac2453175e
SHA256436fb5b766b83bcea9c6af934d94e3c1c1e2a498395a00a8b4ef8bfab361c1b4
SHA512c2f5779965531df0a1f9e3b380a1b3ef3297cb79fb3ef399ab394fce49745a0672b7f2d83638cc5233d13b8fd21a7406e2d70fad5a1e44a2afe546bb63f38c51