Analysis
-
max time kernel
120s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe
Resource
win10v2004-en-20220112
General
-
Target
127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe
-
Size
58KB
-
MD5
a1718e6255a1a743024bfa0aceb9d0fa
-
SHA1
5869aff3fbd9fcefefb5c2c6d21b437d9ecff7d9
-
SHA256
127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac
-
SHA512
7f51542bac1bd4256ac3e468aa8c7d9f08d740a8dceef42bd078ff46d24424f4253477d7e8f2cbbee4ea1ea5d04f94dfadfa72427db12cf23ebaf41122359be1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 368 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exepid process 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exedescription pid process Token: SeIncBasePriorityPrivilege 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.execmd.exedescription pid process target process PID 1308 wrote to memory of 320 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe MediaCenter.exe PID 1308 wrote to memory of 320 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe MediaCenter.exe PID 1308 wrote to memory of 320 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe MediaCenter.exe PID 1308 wrote to memory of 320 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe MediaCenter.exe PID 1308 wrote to memory of 368 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe cmd.exe PID 1308 wrote to memory of 368 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe cmd.exe PID 1308 wrote to memory of 368 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe cmd.exe PID 1308 wrote to memory of 368 1308 127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe cmd.exe PID 368 wrote to memory of 1664 368 cmd.exe PING.EXE PID 368 wrote to memory of 1664 368 cmd.exe PING.EXE PID 368 wrote to memory of 1664 368 cmd.exe PING.EXE PID 368 wrote to memory of 1664 368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe"C:\Users\Admin\AppData\Local\Temp\127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\127869735175a8e8beeaf5134ccc989b5fcebc86d404dcbcd49d1a860aa8e1ac.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fac7b0d5668883b6f774a452cdd45a73
SHA16eb2a15715aca949c1d1a063426b19d761824c5c
SHA2567ec42be4407bd289fee04533314eeac896a9c391a17bd3d0b5cc1731c4f78b5d
SHA5129f8c6c8d8e44ba13ec0214245f81c9cc33974aab6615f091897f711997358f642f66c9f989cf979def1adf3859e67c07cc6e055bca4a6e4dd48b3d51c0536028
-
MD5
fac7b0d5668883b6f774a452cdd45a73
SHA16eb2a15715aca949c1d1a063426b19d761824c5c
SHA2567ec42be4407bd289fee04533314eeac896a9c391a17bd3d0b5cc1731c4f78b5d
SHA5129f8c6c8d8e44ba13ec0214245f81c9cc33974aab6615f091897f711997358f642f66c9f989cf979def1adf3859e67c07cc6e055bca4a6e4dd48b3d51c0536028
-
MD5
fac7b0d5668883b6f774a452cdd45a73
SHA16eb2a15715aca949c1d1a063426b19d761824c5c
SHA2567ec42be4407bd289fee04533314eeac896a9c391a17bd3d0b5cc1731c4f78b5d
SHA5129f8c6c8d8e44ba13ec0214245f81c9cc33974aab6615f091897f711997358f642f66c9f989cf979def1adf3859e67c07cc6e055bca4a6e4dd48b3d51c0536028