Analysis
-
max time kernel
143s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe
Resource
win10v2004-en-20220112
General
-
Target
1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe
-
Size
60KB
-
MD5
b0d7b7939f6a8651a58c7b378d7ce19e
-
SHA1
5de580f15b534834f11245223cbff32214f5e57d
-
SHA256
1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a
-
SHA512
820eb9602a1021455ec6614793253d0e369f2171c34e3312b6931cd0a81db08a152a797732574c409a54061d631354e7430feab80ba8164698777cc630cb2854
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 736 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1644 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exepid process 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exedescription pid process Token: SeIncBasePriorityPrivilege 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.execmd.exedescription pid process target process PID 1612 wrote to memory of 736 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe MediaCenter.exe PID 1612 wrote to memory of 1644 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe cmd.exe PID 1612 wrote to memory of 1644 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe cmd.exe PID 1612 wrote to memory of 1644 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe cmd.exe PID 1612 wrote to memory of 1644 1612 1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe cmd.exe PID 1644 wrote to memory of 2036 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 2036 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 2036 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 2036 1644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe"C:\Users\Admin\AppData\Local\Temp\1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1445be0c4e16f10b021e3ac78edcfeff5783b43a875df38db7c03257228b054a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5f944fcb48efde41f26a2d59474ef681
SHA1b6f4c99c2fb682e57902d1a5c638ec8e46e35bf2
SHA2563fafb3cdd606446a8b4fefd5c7ca57a06dc7a1b825dbf61b400f6341e85c5faa
SHA512ad3dd9c77e80f34fe37b4e09c12a660bb0f3bafad2e9cf78599007a91d88a75ae1f1b74f03f56d03283497a17c6d5a8bab197ffa6ab80959d7a727970fc2c537
-
MD5
5f944fcb48efde41f26a2d59474ef681
SHA1b6f4c99c2fb682e57902d1a5c638ec8e46e35bf2
SHA2563fafb3cdd606446a8b4fefd5c7ca57a06dc7a1b825dbf61b400f6341e85c5faa
SHA512ad3dd9c77e80f34fe37b4e09c12a660bb0f3bafad2e9cf78599007a91d88a75ae1f1b74f03f56d03283497a17c6d5a8bab197ffa6ab80959d7a727970fc2c537
-
MD5
5f944fcb48efde41f26a2d59474ef681
SHA1b6f4c99c2fb682e57902d1a5c638ec8e46e35bf2
SHA2563fafb3cdd606446a8b4fefd5c7ca57a06dc7a1b825dbf61b400f6341e85c5faa
SHA512ad3dd9c77e80f34fe37b4e09c12a660bb0f3bafad2e9cf78599007a91d88a75ae1f1b74f03f56d03283497a17c6d5a8bab197ffa6ab80959d7a727970fc2c537