Analysis
-
max time kernel
148s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
Resource
win10v2004-en-20220113
General
-
Target
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
-
Size
58KB
-
MD5
d376819fef49c1655282ae0bb9149038
-
SHA1
db953b827f759d146baf25c15a812b4f9e914c5e
-
SHA256
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5
-
SHA512
4410f94d322be8ce0e142a46077a247c0beff37da9954f9396c90f5bd2c24e733915a317256fa6d516316a5a947023e8cd67e93ac1ccd8b9d18ce0dc0d65a4c8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exepid process 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exedescription pid process Token: SeIncBasePriorityPrivilege 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.execmd.exedescription pid process target process PID 1600 wrote to memory of 1316 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe MediaCenter.exe PID 1600 wrote to memory of 1084 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe cmd.exe PID 1600 wrote to memory of 1084 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe cmd.exe PID 1600 wrote to memory of 1084 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe cmd.exe PID 1600 wrote to memory of 1084 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe cmd.exe PID 1084 wrote to memory of 780 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 780 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 780 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 780 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe"C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
14d7587b6e60dd2793ecd6cdc02c451b
SHA156dd02d7c147411c817a0e763b5d822a047304d0
SHA256df7bf226d2ca32df5c8376c0379ebf1321d2a7e667616064a0b781ab0abc01fb
SHA512417e3e402ba9855803f6d0aa3e87105ce22e4a8703049ed87bb87f9db27bc77a6f0c8725c335bcd7c5449be8739388d9ae7682e1dae2de1bb556d7934a3f5421
-
MD5
14d7587b6e60dd2793ecd6cdc02c451b
SHA156dd02d7c147411c817a0e763b5d822a047304d0
SHA256df7bf226d2ca32df5c8376c0379ebf1321d2a7e667616064a0b781ab0abc01fb
SHA512417e3e402ba9855803f6d0aa3e87105ce22e4a8703049ed87bb87f9db27bc77a6f0c8725c335bcd7c5449be8739388d9ae7682e1dae2de1bb556d7934a3f5421
-
MD5
14d7587b6e60dd2793ecd6cdc02c451b
SHA156dd02d7c147411c817a0e763b5d822a047304d0
SHA256df7bf226d2ca32df5c8376c0379ebf1321d2a7e667616064a0b781ab0abc01fb
SHA512417e3e402ba9855803f6d0aa3e87105ce22e4a8703049ed87bb87f9db27bc77a6f0c8725c335bcd7c5449be8739388d9ae7682e1dae2de1bb556d7934a3f5421