Analysis
-
max time kernel
153s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe
Resource
win10v2004-en-20220113
General
-
Target
145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe
-
Size
35KB
-
MD5
a6d4d8052b6ed802024f79ddfa017acc
-
SHA1
588f91e974e1e90757258c8511e327ad66e6a5ce
-
SHA256
145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181
-
SHA512
563b9c8bc62f9351f61eace1a0390ac5b8e7437a8ae67a63824886d3cd24a6cc940e10141d18b70a18c844f3f1361cec27b021dd0851ed3d0446bc67d2e2f678
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 588 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exepid process 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.execmd.exedescription pid process target process PID 1568 wrote to memory of 1608 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe MediaCenter.exe PID 1568 wrote to memory of 1608 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe MediaCenter.exe PID 1568 wrote to memory of 1608 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe MediaCenter.exe PID 1568 wrote to memory of 1608 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe MediaCenter.exe PID 1568 wrote to memory of 588 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe cmd.exe PID 1568 wrote to memory of 588 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe cmd.exe PID 1568 wrote to memory of 588 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe cmd.exe PID 1568 wrote to memory of 588 1568 145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe cmd.exe PID 588 wrote to memory of 724 588 cmd.exe PING.EXE PID 588 wrote to memory of 724 588 cmd.exe PING.EXE PID 588 wrote to memory of 724 588 cmd.exe PING.EXE PID 588 wrote to memory of 724 588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe"C:\Users\Admin\AppData\Local\Temp\145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\145f34d06f444b3f8200639bc1d7e1c9d0550837ed032bba9505fe2978e00181.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
18d685b0cba89a0cf6650fce899ed99b
SHA15fafee10c6cc7edf7c7aeef2a50fb96fa002d5a7
SHA2560625138038a01cf0bc9330dd3ce00cc68194376dab13ecdaafa0bd1d7a2d1ffb
SHA512bed2e1790089ab83e6dd9abdf6a3cac2a43537e8e847ecbb80868797ee324dcc76ebdcd2aecc105a364e2219f89d967677670d49cd934891032bc0342ca2a8ad
-
MD5
18d685b0cba89a0cf6650fce899ed99b
SHA15fafee10c6cc7edf7c7aeef2a50fb96fa002d5a7
SHA2560625138038a01cf0bc9330dd3ce00cc68194376dab13ecdaafa0bd1d7a2d1ffb
SHA512bed2e1790089ab83e6dd9abdf6a3cac2a43537e8e847ecbb80868797ee324dcc76ebdcd2aecc105a364e2219f89d967677670d49cd934891032bc0342ca2a8ad
-
MD5
18d685b0cba89a0cf6650fce899ed99b
SHA15fafee10c6cc7edf7c7aeef2a50fb96fa002d5a7
SHA2560625138038a01cf0bc9330dd3ce00cc68194376dab13ecdaafa0bd1d7a2d1ffb
SHA512bed2e1790089ab83e6dd9abdf6a3cac2a43537e8e847ecbb80868797ee324dcc76ebdcd2aecc105a364e2219f89d967677670d49cd934891032bc0342ca2a8ad