Analysis
-
max time kernel
122s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe
Resource
win10v2004-en-20220113
General
-
Target
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe
-
Size
36KB
-
MD5
19f3356171e920c68795117fba4c1909
-
SHA1
8b9ad44bc30158d008bed92e28c1efd854b2d9c0
-
SHA256
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1
-
SHA512
2fd3e0ce3f3beee073a655bb984868667414dbb3a0bd6b3310a4c306d7754c026f395791be68177d9ec537e2c871f4a7d12df17b8fb20aa190d232a4f49cae8f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1876 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1368 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exepid process 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exedescription pid process Token: SeIncBasePriorityPrivilege 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.execmd.exedescription pid process target process PID 1940 wrote to memory of 1876 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe MediaCenter.exe PID 1940 wrote to memory of 1876 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe MediaCenter.exe PID 1940 wrote to memory of 1876 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe MediaCenter.exe PID 1940 wrote to memory of 1876 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe MediaCenter.exe PID 1940 wrote to memory of 1368 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe cmd.exe PID 1940 wrote to memory of 1368 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe cmd.exe PID 1940 wrote to memory of 1368 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe cmd.exe PID 1940 wrote to memory of 1368 1940 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe cmd.exe PID 1368 wrote to memory of 1048 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 1048 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 1048 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 1048 1368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe"C:\Users\Admin\AppData\Local\Temp\13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c110728ced734f026eeedd95935c3835
SHA10fdb6c036ee46606cd8958256a4cb0dd1df60c39
SHA256d2a24c8e2a7e5abfe1808fae43b1feb03a9f6059eb372e7f0d03b61245f21026
SHA5120422609d109d0f727ae0e3e0a8f885f67ba97104ee5d31234097601d208ebce44ad48b7169e85661a916885b3b5ff105985ed47608454030965b322fa95ba9b2
-
MD5
c110728ced734f026eeedd95935c3835
SHA10fdb6c036ee46606cd8958256a4cb0dd1df60c39
SHA256d2a24c8e2a7e5abfe1808fae43b1feb03a9f6059eb372e7f0d03b61245f21026
SHA5120422609d109d0f727ae0e3e0a8f885f67ba97104ee5d31234097601d208ebce44ad48b7169e85661a916885b3b5ff105985ed47608454030965b322fa95ba9b2
-
MD5
c110728ced734f026eeedd95935c3835
SHA10fdb6c036ee46606cd8958256a4cb0dd1df60c39
SHA256d2a24c8e2a7e5abfe1808fae43b1feb03a9f6059eb372e7f0d03b61245f21026
SHA5120422609d109d0f727ae0e3e0a8f885f67ba97104ee5d31234097601d208ebce44ad48b7169e85661a916885b3b5ff105985ed47608454030965b322fa95ba9b2