Analysis
-
max time kernel
148s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe
Resource
win10v2004-en-20220113
General
-
Target
125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe
-
Size
58KB
-
MD5
d88045845e647776e8fef388be32dbc4
-
SHA1
3a4aa6fd1263362639a71f5f3852a7ef32ef4380
-
SHA256
125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5
-
SHA512
8da6e4fdb9fe540324660c2abeb2ec388b430a72ffe053f15db035dd36161b6a6ad06a4100e61e37d62f230a1f2b4aa950616b8826b9d6a33c147894fffa111c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 900 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1820 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exepid process 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exedescription pid process Token: SeIncBasePriorityPrivilege 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.execmd.exedescription pid process target process PID 960 wrote to memory of 900 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe MediaCenter.exe PID 960 wrote to memory of 900 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe MediaCenter.exe PID 960 wrote to memory of 900 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe MediaCenter.exe PID 960 wrote to memory of 900 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe MediaCenter.exe PID 960 wrote to memory of 1820 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe cmd.exe PID 960 wrote to memory of 1820 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe cmd.exe PID 960 wrote to memory of 1820 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe cmd.exe PID 960 wrote to memory of 1820 960 125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe cmd.exe PID 1820 wrote to memory of 1896 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 1896 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 1896 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 1896 1820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe"C:\Users\Admin\AppData\Local\Temp\125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\125a47c3f63aa86810cce2dbb67669660a71f98f0b8f0d959f695a27188158a5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4d8924e50e1b8334591c4b90b75369c6
SHA1c6bab259fe8acee9c4af244a1b29efde5011494b
SHA256171e2228446e1056a3c90a2a6f94d6dc51461ec63054d10b122cf40861a6e19c
SHA5123cc93370a231b5413c2a1cb9878da9cb10583f1f507ce8225718371150e352f8c7e4eb14fdc17cfc7ed476726f765a820ee321aabc056b60a7199a71f554d0f8
-
MD5
4d8924e50e1b8334591c4b90b75369c6
SHA1c6bab259fe8acee9c4af244a1b29efde5011494b
SHA256171e2228446e1056a3c90a2a6f94d6dc51461ec63054d10b122cf40861a6e19c
SHA5123cc93370a231b5413c2a1cb9878da9cb10583f1f507ce8225718371150e352f8c7e4eb14fdc17cfc7ed476726f765a820ee321aabc056b60a7199a71f554d0f8
-
MD5
4d8924e50e1b8334591c4b90b75369c6
SHA1c6bab259fe8acee9c4af244a1b29efde5011494b
SHA256171e2228446e1056a3c90a2a6f94d6dc51461ec63054d10b122cf40861a6e19c
SHA5123cc93370a231b5413c2a1cb9878da9cb10583f1f507ce8225718371150e352f8c7e4eb14fdc17cfc7ed476726f765a820ee321aabc056b60a7199a71f554d0f8