Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:28
Static task
static1
Behavioral task
behavioral1
Sample
12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe
Resource
win10v2004-en-20220113
General
-
Target
12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe
-
Size
58KB
-
MD5
33da72ca71f8cf0e12f082f4242f1f41
-
SHA1
6beefb02634403d0f6ef39c323029c25a8977214
-
SHA256
12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58
-
SHA512
dcf1c461cb191d2c2b0d6a2fb07676e387707e675380544690306aa5a12835f04ed1979f81a8c9a674d92acce2ea2abee54652203d98204cbc387f820b91406e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 896 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exepid process 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exedescription pid process Token: SeIncBasePriorityPrivilege 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.execmd.exedescription pid process target process PID 1564 wrote to memory of 896 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe MediaCenter.exe PID 1564 wrote to memory of 896 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe MediaCenter.exe PID 1564 wrote to memory of 896 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe MediaCenter.exe PID 1564 wrote to memory of 896 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe MediaCenter.exe PID 1564 wrote to memory of 432 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe cmd.exe PID 1564 wrote to memory of 432 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe cmd.exe PID 1564 wrote to memory of 432 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe cmd.exe PID 1564 wrote to memory of 432 1564 12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe cmd.exe PID 432 wrote to memory of 1260 432 cmd.exe PING.EXE PID 432 wrote to memory of 1260 432 cmd.exe PING.EXE PID 432 wrote to memory of 1260 432 cmd.exe PING.EXE PID 432 wrote to memory of 1260 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe"C:\Users\Admin\AppData\Local\Temp\12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12ab3d1fc2882035f6492a5e87d055f0702c39dbdb8a5e789d01374f18a82e58.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
da7eead9ca421bdd10c56c69a8c01f6b
SHA1037f16c9727551e35dc65e717b9c5b190515f4ca
SHA2563bbb49637e37b2625db9986e602fb319046783d419d7612717e940d6e88a9b81
SHA512acb7cd6ea32cdcff4275ec977d44f5a7db3549e3354589d5b9fb70e7f75eb89cf8d9953501a36dd9904888c7a217af88a6816725a060f28e5c8c4048d4643fb2
-
MD5
da7eead9ca421bdd10c56c69a8c01f6b
SHA1037f16c9727551e35dc65e717b9c5b190515f4ca
SHA2563bbb49637e37b2625db9986e602fb319046783d419d7612717e940d6e88a9b81
SHA512acb7cd6ea32cdcff4275ec977d44f5a7db3549e3354589d5b9fb70e7f75eb89cf8d9953501a36dd9904888c7a217af88a6816725a060f28e5c8c4048d4643fb2
-
MD5
da7eead9ca421bdd10c56c69a8c01f6b
SHA1037f16c9727551e35dc65e717b9c5b190515f4ca
SHA2563bbb49637e37b2625db9986e602fb319046783d419d7612717e940d6e88a9b81
SHA512acb7cd6ea32cdcff4275ec977d44f5a7db3549e3354589d5b9fb70e7f75eb89cf8d9953501a36dd9904888c7a217af88a6816725a060f28e5c8c4048d4643fb2