Analysis
-
max time kernel
124s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe
Resource
win10v2004-en-20220113
General
-
Target
1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe
-
Size
60KB
-
MD5
71d112273caacc8783107d92c657d2e6
-
SHA1
892c8049213d0dae947175cad234713be8e37e73
-
SHA256
1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314
-
SHA512
1dd5f2bdd703a7639d71f3f51045172af8fb8d0e65eea24d70ba651cce0d82532f16a8be352611f6867768066e41c572f6ceea13f0f43568be69f6322345d905
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2028 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exepid process 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exedescription pid process Token: SeIncBasePriorityPrivilege 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.execmd.exedescription pid process target process PID 1288 wrote to memory of 1916 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe MediaCenter.exe PID 1288 wrote to memory of 1916 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe MediaCenter.exe PID 1288 wrote to memory of 1916 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe MediaCenter.exe PID 1288 wrote to memory of 1916 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe MediaCenter.exe PID 1288 wrote to memory of 2028 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe cmd.exe PID 1288 wrote to memory of 2028 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe cmd.exe PID 1288 wrote to memory of 2028 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe cmd.exe PID 1288 wrote to memory of 2028 1288 1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe cmd.exe PID 2028 wrote to memory of 1612 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1612 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1612 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1612 2028 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe"C:\Users\Admin\AppData\Local\Temp\1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1449931fbbf278ed69058c671f143d543a2cfb864b85f6fd075e8c0ce23a2314.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
36b6af3fa22c40ab7a0a49c13fd76d98
SHA18e00801a8596794196e030ea5744e7a3b81068fe
SHA2569e1ca36ea6eef4d345ad46547bba1e9ec32e536478e2aa5ada49fbf177608d9b
SHA512d9c3adad49a2f3422c86cc81e770218718d0ca8675a05694f7e8b7f0b03f22f821a1b7fb96ce334ce63aeba5a5306926ba5b7ce4b6a392ecaa1861695f71f2d3
-
MD5
36b6af3fa22c40ab7a0a49c13fd76d98
SHA18e00801a8596794196e030ea5744e7a3b81068fe
SHA2569e1ca36ea6eef4d345ad46547bba1e9ec32e536478e2aa5ada49fbf177608d9b
SHA512d9c3adad49a2f3422c86cc81e770218718d0ca8675a05694f7e8b7f0b03f22f821a1b7fb96ce334ce63aeba5a5306926ba5b7ce4b6a392ecaa1861695f71f2d3
-
MD5
36b6af3fa22c40ab7a0a49c13fd76d98
SHA18e00801a8596794196e030ea5744e7a3b81068fe
SHA2569e1ca36ea6eef4d345ad46547bba1e9ec32e536478e2aa5ada49fbf177608d9b
SHA512d9c3adad49a2f3422c86cc81e770218718d0ca8675a05694f7e8b7f0b03f22f821a1b7fb96ce334ce63aeba5a5306926ba5b7ce4b6a392ecaa1861695f71f2d3