Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
Resource
win10v2004-en-20220113
General
-
Target
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
-
Size
60KB
-
MD5
a87dd3b6f1ab2be3d8a6d9efdffb384d
-
SHA1
43d5e8fb96620b0c5a0c3cb02309f882938ef1f3
-
SHA256
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b
-
SHA512
263869bd707da3c4da81f8387027b0edf3627109f59dca14b97f912afb478a6226112c9afffcde39c13d1c59beb8cc0bcd381de602898474e9abad213caabb5d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 572 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exepid process 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exedescription pid process Token: SeIncBasePriorityPrivilege 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.execmd.exedescription pid process target process PID 1100 wrote to memory of 572 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe MediaCenter.exe PID 1100 wrote to memory of 572 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe MediaCenter.exe PID 1100 wrote to memory of 572 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe MediaCenter.exe PID 1100 wrote to memory of 572 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe MediaCenter.exe PID 1100 wrote to memory of 836 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe cmd.exe PID 1100 wrote to memory of 836 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe cmd.exe PID 1100 wrote to memory of 836 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe cmd.exe PID 1100 wrote to memory of 836 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe cmd.exe PID 836 wrote to memory of 896 836 cmd.exe PING.EXE PID 836 wrote to memory of 896 836 cmd.exe PING.EXE PID 836 wrote to memory of 896 836 cmd.exe PING.EXE PID 836 wrote to memory of 896 836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe"C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bf0e1402fee7bdc5cab4f6ee3dbde71d
SHA1c943234a691835100a440979fadec07a1b1c2c90
SHA2562a307b8c49a1d464b075339b9be044b81f1398450af03f94893122f8dbc230b3
SHA512fe14281b347cab2e1b0e38d4c22155e3c9adf4b1b40a5f92bbafd96a4a5f82d75a28bb06f0f8d9c90a653e76983402e8e650ce3f6677d27f2902dbbc9f5f7e9c
-
MD5
bf0e1402fee7bdc5cab4f6ee3dbde71d
SHA1c943234a691835100a440979fadec07a1b1c2c90
SHA2562a307b8c49a1d464b075339b9be044b81f1398450af03f94893122f8dbc230b3
SHA512fe14281b347cab2e1b0e38d4c22155e3c9adf4b1b40a5f92bbafd96a4a5f82d75a28bb06f0f8d9c90a653e76983402e8e650ce3f6677d27f2902dbbc9f5f7e9c
-
MD5
bf0e1402fee7bdc5cab4f6ee3dbde71d
SHA1c943234a691835100a440979fadec07a1b1c2c90
SHA2562a307b8c49a1d464b075339b9be044b81f1398450af03f94893122f8dbc230b3
SHA512fe14281b347cab2e1b0e38d4c22155e3c9adf4b1b40a5f92bbafd96a4a5f82d75a28bb06f0f8d9c90a653e76983402e8e650ce3f6677d27f2902dbbc9f5f7e9c