Analysis
-
max time kernel
120s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:26
Static task
static1
Behavioral task
behavioral1
Sample
12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe
Resource
win10v2004-en-20220113
General
-
Target
12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe
-
Size
60KB
-
MD5
cb90760807550541a1306f5608c6f99f
-
SHA1
936e60d75ea7334e46df440402600b2f46a220ce
-
SHA256
12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624
-
SHA512
a6537161d151769971712701c1c6d9c0af61a3f280cfee5aa5d6470b557405aead23219e3d03c31383dd09b28cf098b19deaa58d8c77dcd77e778595aa784092
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1880 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1928 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exepid process 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exedescription pid process Token: SeIncBasePriorityPrivilege 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.execmd.exedescription pid process target process PID 1596 wrote to memory of 1880 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe MediaCenter.exe PID 1596 wrote to memory of 1928 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe cmd.exe PID 1596 wrote to memory of 1928 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe cmd.exe PID 1596 wrote to memory of 1928 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe cmd.exe PID 1596 wrote to memory of 1928 1596 12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe cmd.exe PID 1928 wrote to memory of 1900 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1900 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1900 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1900 1928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe"C:\Users\Admin\AppData\Local\Temp\12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12c3709a3c4ebf4140d6f220d13d6de46737f8d5e5bdc744354a47ca7cb32624.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
23bfb6fe206a64e0782f29840c28c854
SHA1aace5a594f59dfbfcd69a953b555f5a138da0043
SHA2566943fe64b454fbf7bebcbc5a8d7ede6a7257295f63fb5b882e412c86e53c3faf
SHA512a480ffeb984e1f2bf2f2d34414f430badbaf08ea0250d0322de16f83a91fc542482d4d5d313b974c3bfb40b3a1a44958a9397597c06329aa4759eff31a7d8f53
-
MD5
23bfb6fe206a64e0782f29840c28c854
SHA1aace5a594f59dfbfcd69a953b555f5a138da0043
SHA2566943fe64b454fbf7bebcbc5a8d7ede6a7257295f63fb5b882e412c86e53c3faf
SHA512a480ffeb984e1f2bf2f2d34414f430badbaf08ea0250d0322de16f83a91fc542482d4d5d313b974c3bfb40b3a1a44958a9397597c06329aa4759eff31a7d8f53
-
MD5
23bfb6fe206a64e0782f29840c28c854
SHA1aace5a594f59dfbfcd69a953b555f5a138da0043
SHA2566943fe64b454fbf7bebcbc5a8d7ede6a7257295f63fb5b882e412c86e53c3faf
SHA512a480ffeb984e1f2bf2f2d34414f430badbaf08ea0250d0322de16f83a91fc542482d4d5d313b974c3bfb40b3a1a44958a9397597c06329aa4759eff31a7d8f53