Analysis
-
max time kernel
153s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe
Resource
win10v2004-en-20220113
General
-
Target
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe
-
Size
35KB
-
MD5
bf5cc2eededf22c913f500b744b51bcd
-
SHA1
5bc6be9aa45ab842edd274f67847814292eda450
-
SHA256
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f
-
SHA512
01bdfda49e8181f9513ef083525dfcda239dba7d3960f3aeb8650f258f82169c1146ee1e14f0175a8771f7faef4445a2f2470b82533c8340ccc1df1176f71be3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1612 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exepid process 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.execmd.exedescription pid process target process PID 1588 wrote to memory of 1664 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe MediaCenter.exe PID 1588 wrote to memory of 1612 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe cmd.exe PID 1588 wrote to memory of 1612 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe cmd.exe PID 1588 wrote to memory of 1612 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe cmd.exe PID 1588 wrote to memory of 1612 1588 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe cmd.exe PID 1612 wrote to memory of 1084 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1084 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1084 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1084 1612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe"C:\Users\Admin\AppData\Local\Temp\1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c48e49bcb3aec7c6a5b6b50d528ba3d1
SHA1755c85502514f8eaf9245711d0934d93379dbb58
SHA256d2c3ddf1d5b640240c16ae84fcb85aa38ef0ab69c61478d5fe873235a06b33b1
SHA51240bfc4c18010069cade016276b80de8ca3f4c8cf15c84261f2da7c0257a73327cafbfd2c510c7ed4b18a4a8437e6cffe586bffa974368589a3e03c363f123db6
-
MD5
c48e49bcb3aec7c6a5b6b50d528ba3d1
SHA1755c85502514f8eaf9245711d0934d93379dbb58
SHA256d2c3ddf1d5b640240c16ae84fcb85aa38ef0ab69c61478d5fe873235a06b33b1
SHA51240bfc4c18010069cade016276b80de8ca3f4c8cf15c84261f2da7c0257a73327cafbfd2c510c7ed4b18a4a8437e6cffe586bffa974368589a3e03c363f123db6
-
MD5
c48e49bcb3aec7c6a5b6b50d528ba3d1
SHA1755c85502514f8eaf9245711d0934d93379dbb58
SHA256d2c3ddf1d5b640240c16ae84fcb85aa38ef0ab69c61478d5fe873235a06b33b1
SHA51240bfc4c18010069cade016276b80de8ca3f4c8cf15c84261f2da7c0257a73327cafbfd2c510c7ed4b18a4a8437e6cffe586bffa974368589a3e03c363f123db6