Analysis
-
max time kernel
138s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:26
Static task
static1
Behavioral task
behavioral1
Sample
12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe
Resource
win10v2004-en-20220113
General
-
Target
12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe
-
Size
60KB
-
MD5
ba1fce0aefef62b89437d1387b610d9f
-
SHA1
564ea57583d1597c2600fabfa2346110d6cc0b53
-
SHA256
12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda
-
SHA512
30cd18f97bcebb85abd666f8c528d0323309208d32a5041ad92c21b0e4181695a21eeb49745d6b40eb4f0e6befd881917e8cdd4cf33f37542bae4755f17c8104
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 788 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exepid process 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exedescription pid process Token: SeIncBasePriorityPrivilege 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.execmd.exedescription pid process target process PID 624 wrote to memory of 1540 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe MediaCenter.exe PID 624 wrote to memory of 1540 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe MediaCenter.exe PID 624 wrote to memory of 1540 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe MediaCenter.exe PID 624 wrote to memory of 1540 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe MediaCenter.exe PID 624 wrote to memory of 788 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe cmd.exe PID 624 wrote to memory of 788 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe cmd.exe PID 624 wrote to memory of 788 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe cmd.exe PID 624 wrote to memory of 788 624 12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe cmd.exe PID 788 wrote to memory of 960 788 cmd.exe PING.EXE PID 788 wrote to memory of 960 788 cmd.exe PING.EXE PID 788 wrote to memory of 960 788 cmd.exe PING.EXE PID 788 wrote to memory of 960 788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe"C:\Users\Admin\AppData\Local\Temp\12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12ba5a39def1b121f7772bd64fe31a7fbc3451888d611af806a777ef0eb10dda.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
413e08427ce6cc28a99a8753d1c53d4d
SHA1c349580f5ac49aa2ff80671b5d719632dbe7484c
SHA25653f0a6b951d584f046e399684d0050bc5d3c8da07c495d699d6c39c9432ee3c8
SHA512c27019827511eeb5524339af91d3f006e1e877615400a569de571774bb9645ff6dc66fb17e6a10acf0f2dea947c2cefea5c5aece59ad698db352b296906db551
-
MD5
413e08427ce6cc28a99a8753d1c53d4d
SHA1c349580f5ac49aa2ff80671b5d719632dbe7484c
SHA25653f0a6b951d584f046e399684d0050bc5d3c8da07c495d699d6c39c9432ee3c8
SHA512c27019827511eeb5524339af91d3f006e1e877615400a569de571774bb9645ff6dc66fb17e6a10acf0f2dea947c2cefea5c5aece59ad698db352b296906db551
-
MD5
413e08427ce6cc28a99a8753d1c53d4d
SHA1c349580f5ac49aa2ff80671b5d719632dbe7484c
SHA25653f0a6b951d584f046e399684d0050bc5d3c8da07c495d699d6c39c9432ee3c8
SHA512c27019827511eeb5524339af91d3f006e1e877615400a569de571774bb9645ff6dc66fb17e6a10acf0f2dea947c2cefea5c5aece59ad698db352b296906db551