Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe
Resource
win10v2004-en-20220112
General
-
Target
1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe
-
Size
60KB
-
MD5
5589ac2a8a53c9efe8603984f5596065
-
SHA1
41689aabf37435cf2e49d3157a26c0b9f6eb6411
-
SHA256
1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed
-
SHA512
f9b5d6ea3db25e6fb657d1ba4424e9c0a765a8a9973cb5e1e6f811433ede92cf7c8e36105e3e42f0f74bb2de0e531d08bb7488de4343364131bb8270e6128697
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1536 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 856 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exepid process 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.execmd.exedescription pid process target process PID 1684 wrote to memory of 1536 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe MediaCenter.exe PID 1684 wrote to memory of 1536 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe MediaCenter.exe PID 1684 wrote to memory of 1536 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe MediaCenter.exe PID 1684 wrote to memory of 1536 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe MediaCenter.exe PID 1684 wrote to memory of 856 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe cmd.exe PID 1684 wrote to memory of 856 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe cmd.exe PID 1684 wrote to memory of 856 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe cmd.exe PID 1684 wrote to memory of 856 1684 1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe cmd.exe PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe"C:\Users\Admin\AppData\Local\Temp\1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1411858342a2f42ada51f25fe576ff31895717f416e2d1a116a91fc3a518aeed.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5f6ff89d498a33958ac0294a795d4de6
SHA182fcfe5c1e605d6852c68f9de4af62c707ae9dcb
SHA256cc1bf667fcdee7f1b228eac52b7275b18cbb8d338602a284436fcf028710253c
SHA51237d024498e765f1e65641149bae78dadc099c690806673f80c094c26b40b7d5262fb3f6f104e285addb52b5455b15e716462c8b7a3e884cad1b1dd5e5cdeb1aa
-
MD5
5f6ff89d498a33958ac0294a795d4de6
SHA182fcfe5c1e605d6852c68f9de4af62c707ae9dcb
SHA256cc1bf667fcdee7f1b228eac52b7275b18cbb8d338602a284436fcf028710253c
SHA51237d024498e765f1e65641149bae78dadc099c690806673f80c094c26b40b7d5262fb3f6f104e285addb52b5455b15e716462c8b7a3e884cad1b1dd5e5cdeb1aa
-
MD5
5f6ff89d498a33958ac0294a795d4de6
SHA182fcfe5c1e605d6852c68f9de4af62c707ae9dcb
SHA256cc1bf667fcdee7f1b228eac52b7275b18cbb8d338602a284436fcf028710253c
SHA51237d024498e765f1e65641149bae78dadc099c690806673f80c094c26b40b7d5262fb3f6f104e285addb52b5455b15e716462c8b7a3e884cad1b1dd5e5cdeb1aa