Analysis
-
max time kernel
123s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:45
Static task
static1
Behavioral task
behavioral1
Sample
149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe
Resource
win10v2004-en-20220113
General
-
Target
149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe
-
Size
58KB
-
MD5
2f7a71a51e26767529a4c1f9eccaa080
-
SHA1
a9980f3138bb78fd6bc90323dc4c91a8fbff37aa
-
SHA256
149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28
-
SHA512
50ce17151c28f40c07f8307b75058a6ab6b56a6d8414d5ec52de1c9a39e513807c2cbb858e476b6d0974148f39f05df8bbcc29661016b1088e9f505d561f530e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 876 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1000 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exepid process 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exedescription pid process Token: SeIncBasePriorityPrivilege 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.execmd.exedescription pid process target process PID 1516 wrote to memory of 876 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe MediaCenter.exe PID 1516 wrote to memory of 1000 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe cmd.exe PID 1516 wrote to memory of 1000 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe cmd.exe PID 1516 wrote to memory of 1000 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe cmd.exe PID 1516 wrote to memory of 1000 1516 149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe cmd.exe PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe"C:\Users\Admin\AppData\Local\Temp\149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\149093a34593ae37cd3bb89cb86a56775a9ce0e8f8e42c2217dadd08d56c4d28.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a41336038b26a4f7a25b0893284961ad
SHA174cbef6b2ad57c2d1a7ab0e6802c8dbd6f7a8e1e
SHA256e9c955389dc4c804393140e6514df9d8c6043e0239155fe27f322c05a14cca96
SHA512adf4ef2956e9b0bf4e741d9556c79e0078f6dac787163ea316ac9db02b3a2075efa9cbaed8965b8a9fda08f37b1577538f53a08e8ceffd2bee605a5ddb0356f0
-
MD5
a41336038b26a4f7a25b0893284961ad
SHA174cbef6b2ad57c2d1a7ab0e6802c8dbd6f7a8e1e
SHA256e9c955389dc4c804393140e6514df9d8c6043e0239155fe27f322c05a14cca96
SHA512adf4ef2956e9b0bf4e741d9556c79e0078f6dac787163ea316ac9db02b3a2075efa9cbaed8965b8a9fda08f37b1577538f53a08e8ceffd2bee605a5ddb0356f0
-
MD5
a41336038b26a4f7a25b0893284961ad
SHA174cbef6b2ad57c2d1a7ab0e6802c8dbd6f7a8e1e
SHA256e9c955389dc4c804393140e6514df9d8c6043e0239155fe27f322c05a14cca96
SHA512adf4ef2956e9b0bf4e741d9556c79e0078f6dac787163ea316ac9db02b3a2075efa9cbaed8965b8a9fda08f37b1577538f53a08e8ceffd2bee605a5ddb0356f0