Analysis
-
max time kernel
149s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe
Resource
win10v2004-en-20220112
General
-
Target
1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe
-
Size
60KB
-
MD5
d5d92f055f9113e34232a80a20af8b81
-
SHA1
c95cb8a4b65ac6ad4ae84795c07c7a0b00481b92
-
SHA256
1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7
-
SHA512
a50cb189909818e5bcc863570e1c9444b01c6b0699f824fe409a3bfcc154562b430c92971748d6d9b5b72f7dd29dcad230fa3afe2b99f82ef0e540268ce0378d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exepid process 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exedescription pid process Token: SeIncBasePriorityPrivilege 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.execmd.exedescription pid process target process PID 1564 wrote to memory of 804 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe MediaCenter.exe PID 1564 wrote to memory of 776 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe cmd.exe PID 1564 wrote to memory of 776 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe cmd.exe PID 1564 wrote to memory of 776 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe cmd.exe PID 1564 wrote to memory of 776 1564 1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe cmd.exe PID 776 wrote to memory of 1076 776 cmd.exe PING.EXE PID 776 wrote to memory of 1076 776 cmd.exe PING.EXE PID 776 wrote to memory of 1076 776 cmd.exe PING.EXE PID 776 wrote to memory of 1076 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe"C:\Users\Admin\AppData\Local\Temp\1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1449b9f23aaa3d7dbec02de2e4c18d93fe63605da8a5138531d4d427e8e286c7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
009a2451e5607afbdbd6e5ab6fed2c43
SHA1ea7257de647051d074e28ea0dcd6bce967d9848d
SHA2566d6d980d3de487c260f508a7bc41318396e30938f9fe68c16637bcba720efd2b
SHA51245d1a00f54e18e91e44de7f2c19171031764c7d8bcb5cfbe6a874cce4b6b4dca13f40188da8e2cb7c25ec9a8eb4b90441d50fa504149f392988868160b7940c4
-
MD5
009a2451e5607afbdbd6e5ab6fed2c43
SHA1ea7257de647051d074e28ea0dcd6bce967d9848d
SHA2566d6d980d3de487c260f508a7bc41318396e30938f9fe68c16637bcba720efd2b
SHA51245d1a00f54e18e91e44de7f2c19171031764c7d8bcb5cfbe6a874cce4b6b4dca13f40188da8e2cb7c25ec9a8eb4b90441d50fa504149f392988868160b7940c4
-
MD5
009a2451e5607afbdbd6e5ab6fed2c43
SHA1ea7257de647051d074e28ea0dcd6bce967d9848d
SHA2566d6d980d3de487c260f508a7bc41318396e30938f9fe68c16637bcba720efd2b
SHA51245d1a00f54e18e91e44de7f2c19171031764c7d8bcb5cfbe6a874cce4b6b4dca13f40188da8e2cb7c25ec9a8eb4b90441d50fa504149f392988868160b7940c4