Analysis
-
max time kernel
122s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:51
Static task
static1
Behavioral task
behavioral1
Sample
143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe
Resource
win10v2004-en-20220112
General
-
Target
143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe
-
Size
60KB
-
MD5
e3314d4dd66362255d1703840cfbe109
-
SHA1
fdbbbc51c7a7ec686842604b4284ff58d49af97a
-
SHA256
143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191
-
SHA512
b8ec4cd7e5efcfaa948abfe69cc0b7a38c186e766487a7c94d62d9442ce0542f83beac0591e624f8cbf063eb5cd296aee9ce76b46f9ccf2a2b0f4fe8b42b148e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1816 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exepid process 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exedescription pid process Token: SeIncBasePriorityPrivilege 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.execmd.exedescription pid process target process PID 1864 wrote to memory of 1816 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe MediaCenter.exe PID 1864 wrote to memory of 1996 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe cmd.exe PID 1864 wrote to memory of 1996 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe cmd.exe PID 1864 wrote to memory of 1996 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe cmd.exe PID 1864 wrote to memory of 1996 1864 143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe cmd.exe PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe"C:\Users\Admin\AppData\Local\Temp\143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\143c2210e6fc58ce545ad1523a1da1672a14f5556e3e857b6643b07d17749191.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1103e0afa439dffc0ea7de98f4ba906f
SHA1b22b1f587107219589b005f2ecdb2b83fdf48fb9
SHA2567efcbf285cb698265bfb4895930813980921b36f3c49b244300cf3f68375f51c
SHA512807e0b0f7cbe21241cba13a0090f2ef9dbc2cb4904a996a7b277bfc5063130cbb3277a386b573491db25311c18b050a3a225017e5091792d074aa4551548fdb2
-
MD5
1103e0afa439dffc0ea7de98f4ba906f
SHA1b22b1f587107219589b005f2ecdb2b83fdf48fb9
SHA2567efcbf285cb698265bfb4895930813980921b36f3c49b244300cf3f68375f51c
SHA512807e0b0f7cbe21241cba13a0090f2ef9dbc2cb4904a996a7b277bfc5063130cbb3277a386b573491db25311c18b050a3a225017e5091792d074aa4551548fdb2
-
MD5
1103e0afa439dffc0ea7de98f4ba906f
SHA1b22b1f587107219589b005f2ecdb2b83fdf48fb9
SHA2567efcbf285cb698265bfb4895930813980921b36f3c49b244300cf3f68375f51c
SHA512807e0b0f7cbe21241cba13a0090f2ef9dbc2cb4904a996a7b277bfc5063130cbb3277a386b573491db25311c18b050a3a225017e5091792d074aa4551548fdb2