Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe
Resource
win10v2004-en-20220112
General
-
Target
13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe
-
Size
60KB
-
MD5
284cacf8d6865126521fd32ecea4a7ea
-
SHA1
8448f783fd8580331defc71e16af5d3191dd9ade
-
SHA256
13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826
-
SHA512
c9ef39a9661cb49ca1e141abf32905d8c4e4ed1d1540169dd78974455c303300d5f35cf1a9ded1010a3e4030897d3e71ff07e058bea90df130c388bc0b95c16d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1448 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exepid process 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exedescription pid process Token: SeIncBasePriorityPrivilege 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.execmd.exedescription pid process target process PID 760 wrote to memory of 1720 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe MediaCenter.exe PID 760 wrote to memory of 1720 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe MediaCenter.exe PID 760 wrote to memory of 1720 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe MediaCenter.exe PID 760 wrote to memory of 1720 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe MediaCenter.exe PID 760 wrote to memory of 1448 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe cmd.exe PID 760 wrote to memory of 1448 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe cmd.exe PID 760 wrote to memory of 1448 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe cmd.exe PID 760 wrote to memory of 1448 760 13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe cmd.exe PID 1448 wrote to memory of 1248 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1248 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1248 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1248 1448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe"C:\Users\Admin\AppData\Local\Temp\13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13fa710c8926a6fdbb5cef19372bebe3188b082655b1ccc7c233fc6072794826.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
249721d7790f0d3ec4cc594bc9437ae8
SHA1432fd0425dec7bdef21690e0182ec205129fdcb7
SHA25613e3cf2570ec507b786e77cad518dc79a08ae7f84f9b39c8833126fa56d89aaf
SHA5126c4b1cb698ad29702f294bd52e41f28d414563f95b4e6027c67c9a1051bc1132c9668c65a0cd66eee7a6e0f7c8d0d9635204ce8806b91e33890b73b853ac5553
-
MD5
249721d7790f0d3ec4cc594bc9437ae8
SHA1432fd0425dec7bdef21690e0182ec205129fdcb7
SHA25613e3cf2570ec507b786e77cad518dc79a08ae7f84f9b39c8833126fa56d89aaf
SHA5126c4b1cb698ad29702f294bd52e41f28d414563f95b4e6027c67c9a1051bc1132c9668c65a0cd66eee7a6e0f7c8d0d9635204ce8806b91e33890b73b853ac5553
-
MD5
249721d7790f0d3ec4cc594bc9437ae8
SHA1432fd0425dec7bdef21690e0182ec205129fdcb7
SHA25613e3cf2570ec507b786e77cad518dc79a08ae7f84f9b39c8833126fa56d89aaf
SHA5126c4b1cb698ad29702f294bd52e41f28d414563f95b4e6027c67c9a1051bc1132c9668c65a0cd66eee7a6e0f7c8d0d9635204ce8806b91e33890b73b853ac5553