Analysis
-
max time kernel
117s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:32
Static task
static1
Behavioral task
behavioral1
Sample
12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe
Resource
win10v2004-en-20220113
General
-
Target
12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe
-
Size
36KB
-
MD5
0b95241e252215737c33d68bbfa15b83
-
SHA1
5f7fa06ec7dd9c1b693ae73182d8713ba8430bb3
-
SHA256
12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0
-
SHA512
6c86861bde45647425c44cc1ff3b6f768bc4fbca40ea4cbc08c6267f07226ed3ed031a989aedaff576fcc96fb28f04884fc60629db714d5ce3200ed50e4348eb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1092 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exepid process 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.execmd.exedescription pid process target process PID 1624 wrote to memory of 1092 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe MediaCenter.exe PID 1624 wrote to memory of 428 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe cmd.exe PID 1624 wrote to memory of 428 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe cmd.exe PID 1624 wrote to memory of 428 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe cmd.exe PID 1624 wrote to memory of 428 1624 12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe cmd.exe PID 428 wrote to memory of 1808 428 cmd.exe PING.EXE PID 428 wrote to memory of 1808 428 cmd.exe PING.EXE PID 428 wrote to memory of 1808 428 cmd.exe PING.EXE PID 428 wrote to memory of 1808 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe"C:\Users\Admin\AppData\Local\Temp\12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12698d308d90ab7a1516a17b7723412aaea411708fc82b218bf0479473b0f4f0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bd79eb6572d8c6f9cbd0732e3200f474
SHA186e464469456f21d1e2a134faa7cf514373ad5ed
SHA256969c6d12d56396a95d215c3b3bfecd9473ca2c71c66446bfe9ebb89b63dfa240
SHA512f7af090eb46ca3bbf6bbf13980b21c2941422f02a70629ba791c0d6e3f7bc6e7c825814cd0321e4112c1418239f9352b4a9f7673d29ee341d2894f3a94ee84c5
-
MD5
bd79eb6572d8c6f9cbd0732e3200f474
SHA186e464469456f21d1e2a134faa7cf514373ad5ed
SHA256969c6d12d56396a95d215c3b3bfecd9473ca2c71c66446bfe9ebb89b63dfa240
SHA512f7af090eb46ca3bbf6bbf13980b21c2941422f02a70629ba791c0d6e3f7bc6e7c825814cd0321e4112c1418239f9352b4a9f7673d29ee341d2894f3a94ee84c5
-
MD5
bd79eb6572d8c6f9cbd0732e3200f474
SHA186e464469456f21d1e2a134faa7cf514373ad5ed
SHA256969c6d12d56396a95d215c3b3bfecd9473ca2c71c66446bfe9ebb89b63dfa240
SHA512f7af090eb46ca3bbf6bbf13980b21c2941422f02a70629ba791c0d6e3f7bc6e7c825814cd0321e4112c1418239f9352b4a9f7673d29ee341d2894f3a94ee84c5