Analysis
-
max time kernel
150s -
max time network
183s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe
Resource
win10v2004-en-20220112
General
-
Target
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe
-
Size
60KB
-
MD5
9334bf311d2af849e84994cf85e78d8e
-
SHA1
f4868bccb8fbda4299da06a40bb55a2d904df00b
-
SHA256
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081
-
SHA512
cf03ff7817970e5d306ca786c214b16c327b6fb36f268340a01b6555bcaeaf34fc263ab1bd5d2d0af1da106f347357b19f9ebff60310f9fe4149029eee2f978c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1772 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 656 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exepid process 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exedescription pid process Token: SeIncBasePriorityPrivilege 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.execmd.exedescription pid process target process PID 1368 wrote to memory of 1772 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe MediaCenter.exe PID 1368 wrote to memory of 1772 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe MediaCenter.exe PID 1368 wrote to memory of 1772 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe MediaCenter.exe PID 1368 wrote to memory of 1772 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe MediaCenter.exe PID 1368 wrote to memory of 656 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe cmd.exe PID 1368 wrote to memory of 656 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe cmd.exe PID 1368 wrote to memory of 656 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe cmd.exe PID 1368 wrote to memory of 656 1368 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe cmd.exe PID 656 wrote to memory of 1556 656 cmd.exe PING.EXE PID 656 wrote to memory of 1556 656 cmd.exe PING.EXE PID 656 wrote to memory of 1556 656 cmd.exe PING.EXE PID 656 wrote to memory of 1556 656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe"C:\Users\Admin\AppData\Local\Temp\142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1b14bba52743e05dd50f1ad343fa5285
SHA106cbe95828421fa35ae16162e881dffb8561b38b
SHA25683a9f288321d012502f08e477f50ff8d9d080f4affd34a8e93f18e90afada4c6
SHA512a5b1af50de80df26c5ce9e6c0f2feaff42c698c4715a312e54e75e56b7b87c401f93ae628248dc57357af5a6e877a1b1993a280f3b40c59ec483bda4ac1db67e
-
MD5
1b14bba52743e05dd50f1ad343fa5285
SHA106cbe95828421fa35ae16162e881dffb8561b38b
SHA25683a9f288321d012502f08e477f50ff8d9d080f4affd34a8e93f18e90afada4c6
SHA512a5b1af50de80df26c5ce9e6c0f2feaff42c698c4715a312e54e75e56b7b87c401f93ae628248dc57357af5a6e877a1b1993a280f3b40c59ec483bda4ac1db67e
-
MD5
1b14bba52743e05dd50f1ad343fa5285
SHA106cbe95828421fa35ae16162e881dffb8561b38b
SHA25683a9f288321d012502f08e477f50ff8d9d080f4affd34a8e93f18e90afada4c6
SHA512a5b1af50de80df26c5ce9e6c0f2feaff42c698c4715a312e54e75e56b7b87c401f93ae628248dc57357af5a6e877a1b1993a280f3b40c59ec483bda4ac1db67e