Analysis
-
max time kernel
154s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:32
Static task
static1
Behavioral task
behavioral1
Sample
126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe
Resource
win10v2004-en-20220113
General
-
Target
126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe
-
Size
36KB
-
MD5
a78e82245103aca7f26f67355b280629
-
SHA1
187674c7b37413b1ed49e80b46af468d41bfa0b3
-
SHA256
126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846
-
SHA512
fed17999ebb429d5f092d0143203653c80df9d08cacd33840368cb846932a0eee9edff40332638e9bb19c781eba71b20d8d5b7c203dcdac99e01b7d0dfdc7d07
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 828 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1260 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exepid process 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.execmd.exedescription pid process target process PID 1664 wrote to memory of 828 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe MediaCenter.exe PID 1664 wrote to memory of 1260 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe cmd.exe PID 1664 wrote to memory of 1260 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe cmd.exe PID 1664 wrote to memory of 1260 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe cmd.exe PID 1664 wrote to memory of 1260 1664 126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe cmd.exe PID 1260 wrote to memory of 956 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 956 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 956 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 956 1260 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe"C:\Users\Admin\AppData\Local\Temp\126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
383ef0fac1136ebaf5f41e635dee0b15
SHA147c9f9c3cb00ce01a2f4c6c9ce1f0a3903945935
SHA2568e7a400948ee1c3e44c6749c2c5ad409a93bf4586f3a1fee6ab85eea6812c1bf
SHA51225cdc57fa2d4f856604d5389910b4fc579445c28c894c71257db720b48eebb1f22274c0ea7dfccfcd59744a402fb9eb86c678dbd217264b8ff68c6ba1dd76d59
-
MD5
383ef0fac1136ebaf5f41e635dee0b15
SHA147c9f9c3cb00ce01a2f4c6c9ce1f0a3903945935
SHA2568e7a400948ee1c3e44c6749c2c5ad409a93bf4586f3a1fee6ab85eea6812c1bf
SHA51225cdc57fa2d4f856604d5389910b4fc579445c28c894c71257db720b48eebb1f22274c0ea7dfccfcd59744a402fb9eb86c678dbd217264b8ff68c6ba1dd76d59
-
MD5
383ef0fac1136ebaf5f41e635dee0b15
SHA147c9f9c3cb00ce01a2f4c6c9ce1f0a3903945935
SHA2568e7a400948ee1c3e44c6749c2c5ad409a93bf4586f3a1fee6ab85eea6812c1bf
SHA51225cdc57fa2d4f856604d5389910b4fc579445c28c894c71257db720b48eebb1f22274c0ea7dfccfcd59744a402fb9eb86c678dbd217264b8ff68c6ba1dd76d59