Analysis
-
max time kernel
134s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:29
Static task
static1
Behavioral task
behavioral1
Sample
129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe
Resource
win10v2004-en-20220113
General
-
Target
129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe
-
Size
58KB
-
MD5
62f9fcd389f2a8071c985b9fa14b536c
-
SHA1
eb4f9df6ef441274c6a765a2b30c45c715170b0b
-
SHA256
129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2
-
SHA512
5a92435f1ef8521352d400cda4fe672a2388fa7db55cfe3e4be76dca8e621daedbb5b1458311601d1459c24038c1738faaf7c15c6a6d2fa83d0c81dfb748c7e5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1876 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1368 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exepid process 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exedescription pid process Token: SeIncBasePriorityPrivilege 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.execmd.exedescription pid process target process PID 1940 wrote to memory of 1876 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe MediaCenter.exe PID 1940 wrote to memory of 1876 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe MediaCenter.exe PID 1940 wrote to memory of 1876 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe MediaCenter.exe PID 1940 wrote to memory of 1876 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe MediaCenter.exe PID 1940 wrote to memory of 1368 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe cmd.exe PID 1940 wrote to memory of 1368 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe cmd.exe PID 1940 wrote to memory of 1368 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe cmd.exe PID 1940 wrote to memory of 1368 1940 129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe cmd.exe PID 1368 wrote to memory of 1920 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 1920 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 1920 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 1920 1368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe"C:\Users\Admin\AppData\Local\Temp\129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\129a2e1450730366299afa9738d813c63f3ba60f21b8966616a07967a5c905a2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
58d592953e802a6faf4ee6a41d59b291
SHA16504884fb8126c631d39291a4556ec834b51982a
SHA2561c6e55a3251bfd1fac13e0a3b70661fe472637f0e52db314697e979c97d3649f
SHA512f2c0fc39686ef37d976fc4a43c1d000af5ebc82250e67c6c99a1b90954dfb4adc4a89d129990e85471e8a2e2d569fd556cfeef43d5665d95ae93e97b4ee46778
-
MD5
58d592953e802a6faf4ee6a41d59b291
SHA16504884fb8126c631d39291a4556ec834b51982a
SHA2561c6e55a3251bfd1fac13e0a3b70661fe472637f0e52db314697e979c97d3649f
SHA512f2c0fc39686ef37d976fc4a43c1d000af5ebc82250e67c6c99a1b90954dfb4adc4a89d129990e85471e8a2e2d569fd556cfeef43d5665d95ae93e97b4ee46778
-
MD5
58d592953e802a6faf4ee6a41d59b291
SHA16504884fb8126c631d39291a4556ec834b51982a
SHA2561c6e55a3251bfd1fac13e0a3b70661fe472637f0e52db314697e979c97d3649f
SHA512f2c0fc39686ef37d976fc4a43c1d000af5ebc82250e67c6c99a1b90954dfb4adc4a89d129990e85471e8a2e2d569fd556cfeef43d5665d95ae93e97b4ee46778