Analysis
-
max time kernel
120s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe
Resource
win10v2004-en-20220113
General
-
Target
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe
-
Size
60KB
-
MD5
efed97621a858a69fd74fadb229f48a9
-
SHA1
a8ce01e42010292968ee69addd4fa7f697e6697a
-
SHA256
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc
-
SHA512
5fe164f70537c0e92bafd7f11806cde00513a75004682e2376822df67d653082649d4fc205feb229487b254a0c722ec0b9c1796cad0e1664ca8165256c675742
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1156 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exepid process 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exedescription pid process Token: SeIncBasePriorityPrivilege 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.execmd.exedescription pid process target process PID 1688 wrote to memory of 1156 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe MediaCenter.exe PID 1688 wrote to memory of 1156 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe MediaCenter.exe PID 1688 wrote to memory of 1156 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe MediaCenter.exe PID 1688 wrote to memory of 1156 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe MediaCenter.exe PID 1688 wrote to memory of 1172 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe cmd.exe PID 1688 wrote to memory of 1172 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe cmd.exe PID 1688 wrote to memory of 1172 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe cmd.exe PID 1688 wrote to memory of 1172 1688 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe cmd.exe PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe"C:\Users\Admin\AppData\Local\Temp\14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f2db6e8da9099ed7f2ab9c2b67693fad
SHA1f2fa5ce6c58797c1469fb4c5ec428e309c34c6ce
SHA25610ff584a9972fb46f600dadeaa19351cf0db9cda9bffabbd785378b7ad571522
SHA512411339f55e30177b8eba60b05b2704c924742335f9d58dc3455e8705b201d2b73e97e9e01913afdc8cd78875d8081df98077f688238fc2fe6e5ba56b0ec70d2a
-
MD5
f2db6e8da9099ed7f2ab9c2b67693fad
SHA1f2fa5ce6c58797c1469fb4c5ec428e309c34c6ce
SHA25610ff584a9972fb46f600dadeaa19351cf0db9cda9bffabbd785378b7ad571522
SHA512411339f55e30177b8eba60b05b2704c924742335f9d58dc3455e8705b201d2b73e97e9e01913afdc8cd78875d8081df98077f688238fc2fe6e5ba56b0ec70d2a
-
MD5
f2db6e8da9099ed7f2ab9c2b67693fad
SHA1f2fa5ce6c58797c1469fb4c5ec428e309c34c6ce
SHA25610ff584a9972fb46f600dadeaa19351cf0db9cda9bffabbd785378b7ad571522
SHA512411339f55e30177b8eba60b05b2704c924742335f9d58dc3455e8705b201d2b73e97e9e01913afdc8cd78875d8081df98077f688238fc2fe6e5ba56b0ec70d2a