Analysis
-
max time kernel
120s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:25
Static task
static1
Behavioral task
behavioral1
Sample
12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe
Resource
win10v2004-en-20220113
General
-
Target
12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe
-
Size
35KB
-
MD5
834d28c2fc069e298617c8c16ab9abe2
-
SHA1
dc3f8902158d6644bd5178fd55d3a49c296248e7
-
SHA256
12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2
-
SHA512
9c4f7f63758cca75e222fa395333cbb767f66d4550eebde9c1c97a6511ce111a6ae6a8ba5a003658ce0cd8eefe9e92820d7228cbd7a713443496d53add61f4d1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 764 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exepid process 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exedescription pid process Token: SeIncBasePriorityPrivilege 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.execmd.exedescription pid process target process PID 1172 wrote to memory of 268 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe MediaCenter.exe PID 1172 wrote to memory of 268 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe MediaCenter.exe PID 1172 wrote to memory of 268 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe MediaCenter.exe PID 1172 wrote to memory of 268 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe MediaCenter.exe PID 1172 wrote to memory of 764 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe cmd.exe PID 1172 wrote to memory of 764 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe cmd.exe PID 1172 wrote to memory of 764 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe cmd.exe PID 1172 wrote to memory of 764 1172 12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe cmd.exe PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe"C:\Users\Admin\AppData\Local\Temp\12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12c7c1c712f75ccc6f783b183e19d54f28cfbcccafe4844a90c2a6fa2cae0fe2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b9009fd173528c38bbc01cb1bc4bc4c
SHA1ccd6a0daa219352fde680327bb5e717aab3ec24a
SHA2567fe8ea906533df646a386f2c3eecdb06622e43bb0f6d8b1c1d4b91cc7bc585a0
SHA512828b75e8c629bb1a0137ae782a703cac2ce713df74e4de0eba7cea30706351e258621eef21004533f70ababeade436dcfff55a1d763e9a4062b9ddf7a975ded5
-
MD5
6b9009fd173528c38bbc01cb1bc4bc4c
SHA1ccd6a0daa219352fde680327bb5e717aab3ec24a
SHA2567fe8ea906533df646a386f2c3eecdb06622e43bb0f6d8b1c1d4b91cc7bc585a0
SHA512828b75e8c629bb1a0137ae782a703cac2ce713df74e4de0eba7cea30706351e258621eef21004533f70ababeade436dcfff55a1d763e9a4062b9ddf7a975ded5
-
MD5
6b9009fd173528c38bbc01cb1bc4bc4c
SHA1ccd6a0daa219352fde680327bb5e717aab3ec24a
SHA2567fe8ea906533df646a386f2c3eecdb06622e43bb0f6d8b1c1d4b91cc7bc585a0
SHA512828b75e8c629bb1a0137ae782a703cac2ce713df74e4de0eba7cea30706351e258621eef21004533f70ababeade436dcfff55a1d763e9a4062b9ddf7a975ded5