Analysis
-
max time kernel
119s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:22
Static task
static1
Behavioral task
behavioral1
Sample
12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe
Resource
win10v2004-en-20220113
General
-
Target
12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe
-
Size
36KB
-
MD5
49f158e5e90fd43020e50160a6f837c3
-
SHA1
1b7da0829273944b9be5e4c8065291888f343272
-
SHA256
12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633
-
SHA512
8004432700aa38f044176d4acf04dde2bcb9622a21e158429626c353e788d7c3d40671ec52fbaad9f9922746333165066ac32455c0d504e5676d83020b63a868
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1304 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exepid process 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.execmd.exedescription pid process target process PID 1588 wrote to memory of 1720 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe MediaCenter.exe PID 1588 wrote to memory of 1304 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe cmd.exe PID 1588 wrote to memory of 1304 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe cmd.exe PID 1588 wrote to memory of 1304 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe cmd.exe PID 1588 wrote to memory of 1304 1588 12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe cmd.exe PID 1304 wrote to memory of 1804 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1804 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1804 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1804 1304 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe"C:\Users\Admin\AppData\Local\Temp\12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12f004d470e7fe036551ef4951f87bd2bbe2714eaee3a27a4ac9943210ed8633.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c74ebf14b8a360dabd7c5d52d9ee973
SHA118203e835edab13cfaea93f63e5f38d0c27eb72d
SHA256c4db2fe164b3a8a500125345d6e0072423ae47411b91cd16c1830659535bc895
SHA5128922e9ac5e702f04abfc2dc1b103d1c194dd60d43a4f2ca6e50388934c91232bdedb4871c2cf691337f24c0b3600b9f042d965ed7685716302b1c7c85e4e5951
-
MD5
0c74ebf14b8a360dabd7c5d52d9ee973
SHA118203e835edab13cfaea93f63e5f38d0c27eb72d
SHA256c4db2fe164b3a8a500125345d6e0072423ae47411b91cd16c1830659535bc895
SHA5128922e9ac5e702f04abfc2dc1b103d1c194dd60d43a4f2ca6e50388934c91232bdedb4871c2cf691337f24c0b3600b9f042d965ed7685716302b1c7c85e4e5951
-
MD5
0c74ebf14b8a360dabd7c5d52d9ee973
SHA118203e835edab13cfaea93f63e5f38d0c27eb72d
SHA256c4db2fe164b3a8a500125345d6e0072423ae47411b91cd16c1830659535bc895
SHA5128922e9ac5e702f04abfc2dc1b103d1c194dd60d43a4f2ca6e50388934c91232bdedb4871c2cf691337f24c0b3600b9f042d965ed7685716302b1c7c85e4e5951