Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:28
Static task
static1
Behavioral task
behavioral1
Sample
12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe
Resource
win10v2004-en-20220113
General
-
Target
12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe
-
Size
60KB
-
MD5
eb09a23fa28816c718756a64103457a6
-
SHA1
1e6bb4c9fbf9087bafd23426fc9c6717e0411221
-
SHA256
12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272
-
SHA512
2866c5e2acafa66d96eafe54ad0068f297f90bd276bca727eeb9e58a71625a3356d44ab85b442c5e8e4efe9081a76bc5ab167e27640f96dcc6d9995ed4313590
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1324 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exepid process 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exedescription pid process Token: SeIncBasePriorityPrivilege 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.execmd.exedescription pid process target process PID 892 wrote to memory of 1324 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe MediaCenter.exe PID 892 wrote to memory of 608 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe cmd.exe PID 892 wrote to memory of 608 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe cmd.exe PID 892 wrote to memory of 608 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe cmd.exe PID 892 wrote to memory of 608 892 12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe cmd.exe PID 608 wrote to memory of 1056 608 cmd.exe PING.EXE PID 608 wrote to memory of 1056 608 cmd.exe PING.EXE PID 608 wrote to memory of 1056 608 cmd.exe PING.EXE PID 608 wrote to memory of 1056 608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe"C:\Users\Admin\AppData\Local\Temp\12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12a21fa803a39f45022e0fa99059c6dc972d65468a9d1bdb7dc09a5a916e6272.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
daad5aa14baadd5f76a643b4231131b1
SHA1b006531809ec50c4fed972e53827d000d2b4c99c
SHA256b8367683e60721281580ce2dec04b029d6e1cab0ab2027f0fd676234addbf9f0
SHA51284447c2f1f9bdd816eb532f9abbf6a4287b839ce93570305406da3c6e9db64b62bafa12ee4f3b5e143c65fd07cd45c25ac71a809b5540b28e1cdf7b974a9cbc7
-
MD5
daad5aa14baadd5f76a643b4231131b1
SHA1b006531809ec50c4fed972e53827d000d2b4c99c
SHA256b8367683e60721281580ce2dec04b029d6e1cab0ab2027f0fd676234addbf9f0
SHA51284447c2f1f9bdd816eb532f9abbf6a4287b839ce93570305406da3c6e9db64b62bafa12ee4f3b5e143c65fd07cd45c25ac71a809b5540b28e1cdf7b974a9cbc7
-
MD5
daad5aa14baadd5f76a643b4231131b1
SHA1b006531809ec50c4fed972e53827d000d2b4c99c
SHA256b8367683e60721281580ce2dec04b029d6e1cab0ab2027f0fd676234addbf9f0
SHA51284447c2f1f9bdd816eb532f9abbf6a4287b839ce93570305406da3c6e9db64b62bafa12ee4f3b5e143c65fd07cd45c25ac71a809b5540b28e1cdf7b974a9cbc7