Analysis
-
max time kernel
117s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:47
Static task
static1
Behavioral task
behavioral1
Sample
1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe
Resource
win10v2004-en-20220112
General
-
Target
1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe
-
Size
36KB
-
MD5
dc9bec6578dbd16763d309fe688d914f
-
SHA1
6b6eea0e1c9998bb9eb6446d4060f1bf9b230b7a
-
SHA256
1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3
-
SHA512
4e84f6039fc97928a565616ad21e28e2dcd2a9611c791f4d7b4df2565bea173c46f011580846ea699fbaf1e99bb8bb0ec27e301123399ea9b37f565d30e54424
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exepid process 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exedescription pid process Token: SeIncBasePriorityPrivilege 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.execmd.exedescription pid process target process PID 1740 wrote to memory of 1608 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe MediaCenter.exe PID 1740 wrote to memory of 392 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe cmd.exe PID 1740 wrote to memory of 392 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe cmd.exe PID 1740 wrote to memory of 392 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe cmd.exe PID 1740 wrote to memory of 392 1740 1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe cmd.exe PID 392 wrote to memory of 1992 392 cmd.exe PING.EXE PID 392 wrote to memory of 1992 392 cmd.exe PING.EXE PID 392 wrote to memory of 1992 392 cmd.exe PING.EXE PID 392 wrote to memory of 1992 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe"C:\Users\Admin\AppData\Local\Temp\1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1476a1d6991210779f84412236d2d4fd4e5187dc1c6be6ea1fc1bc019be2b5e3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ddd686b018824ddd3445a7fb5a019daf
SHA1e24816c21dc8603ab911658c7bd9ca906bbe6021
SHA2567af038f1c1ec166e11451b1e47166f18c1032ee8df5233cc088a6fba45b6f23c
SHA5128a358d3dc78a02eb3c363e5a492f7e9616c02ec8ecd756354aa6fef8ba122bdf6d58ec5df2ea91ba4f094264d5a4bfe4044a1947ad6b22a606821464eed4b7be
-
MD5
ddd686b018824ddd3445a7fb5a019daf
SHA1e24816c21dc8603ab911658c7bd9ca906bbe6021
SHA2567af038f1c1ec166e11451b1e47166f18c1032ee8df5233cc088a6fba45b6f23c
SHA5128a358d3dc78a02eb3c363e5a492f7e9616c02ec8ecd756354aa6fef8ba122bdf6d58ec5df2ea91ba4f094264d5a4bfe4044a1947ad6b22a606821464eed4b7be
-
MD5
ddd686b018824ddd3445a7fb5a019daf
SHA1e24816c21dc8603ab911658c7bd9ca906bbe6021
SHA2567af038f1c1ec166e11451b1e47166f18c1032ee8df5233cc088a6fba45b6f23c
SHA5128a358d3dc78a02eb3c363e5a492f7e9616c02ec8ecd756354aa6fef8ba122bdf6d58ec5df2ea91ba4f094264d5a4bfe4044a1947ad6b22a606821464eed4b7be