Analysis
-
max time kernel
124s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe
Resource
win10v2004-en-20220112
General
-
Target
126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe
-
Size
35KB
-
MD5
2fce076fd6c107f35f27190447e91124
-
SHA1
75072133b7effff502b60b8ee74e59d016a7c32c
-
SHA256
126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d
-
SHA512
0ef164246547e64facb0b0042d897acd70505be270dfb7998b8c8fd3d82bedb00db16bf7d78bc52e277cebde070d4bde7e3ec04d7eb011bf224191398c628286
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exepid process 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exedescription pid process Token: SeIncBasePriorityPrivilege 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.execmd.exedescription pid process target process PID 1740 wrote to memory of 1884 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe MediaCenter.exe PID 1740 wrote to memory of 1884 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe MediaCenter.exe PID 1740 wrote to memory of 1884 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe MediaCenter.exe PID 1740 wrote to memory of 1884 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe MediaCenter.exe PID 1740 wrote to memory of 1984 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe cmd.exe PID 1740 wrote to memory of 1984 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe cmd.exe PID 1740 wrote to memory of 1984 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe cmd.exe PID 1740 wrote to memory of 1984 1740 126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe cmd.exe PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe"C:\Users\Admin\AppData\Local\Temp\126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\126691a6d58c9f2866211eb7161048be95ae6afd5854509b72e0ffb4d8c88d8d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
580432d3881a37e3d3d7443975d20a0a
SHA101608eb9c844e88abb2d1178a553f8327725665a
SHA256032f5a042e64d21db11491c75a2f9eb06a2d88c5fe1591673085ba33e2efc73b
SHA51276fa93edff60b00d536f75b465623a97aeb9df67293658b5354cb870f5ee376ddc668c7558c5bdd66cd9d7852353327ee476f574a8d1be6588a13c81dd39aa1a
-
MD5
580432d3881a37e3d3d7443975d20a0a
SHA101608eb9c844e88abb2d1178a553f8327725665a
SHA256032f5a042e64d21db11491c75a2f9eb06a2d88c5fe1591673085ba33e2efc73b
SHA51276fa93edff60b00d536f75b465623a97aeb9df67293658b5354cb870f5ee376ddc668c7558c5bdd66cd9d7852353327ee476f574a8d1be6588a13c81dd39aa1a
-
MD5
580432d3881a37e3d3d7443975d20a0a
SHA101608eb9c844e88abb2d1178a553f8327725665a
SHA256032f5a042e64d21db11491c75a2f9eb06a2d88c5fe1591673085ba33e2efc73b
SHA51276fa93edff60b00d536f75b465623a97aeb9df67293658b5354cb870f5ee376ddc668c7558c5bdd66cd9d7852353327ee476f574a8d1be6588a13c81dd39aa1a