Analysis
-
max time kernel
141s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:59
Static task
static1
Behavioral task
behavioral1
Sample
13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe
Resource
win10v2004-en-20220113
General
-
Target
13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe
-
Size
58KB
-
MD5
8ce91eabb4065db7bed9fb6ebd336ea4
-
SHA1
e9287ba26fd5b446d9bca8166b2e7b6e7b230444
-
SHA256
13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83
-
SHA512
8c1b5fbf60c66e6f24585cc806ce0c8f6e334c3d217884125f3a477f632be678f290f54b6fed8faf3f2174c1eeec008887121771a606afc912fbd53126cb7dae
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exepid process 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.execmd.exedescription pid process target process PID 1624 wrote to memory of 1548 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe MediaCenter.exe PID 1624 wrote to memory of 396 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe cmd.exe PID 1624 wrote to memory of 396 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe cmd.exe PID 1624 wrote to memory of 396 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe cmd.exe PID 1624 wrote to memory of 396 1624 13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe cmd.exe PID 396 wrote to memory of 1768 396 cmd.exe PING.EXE PID 396 wrote to memory of 1768 396 cmd.exe PING.EXE PID 396 wrote to memory of 1768 396 cmd.exe PING.EXE PID 396 wrote to memory of 1768 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe"C:\Users\Admin\AppData\Local\Temp\13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13e6e9eae0d947cb5bb0e13f63ef8b83e6d0ade03cdccdef052e9e20bc755e83.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b986bce8339d59229284138f854de71d
SHA1c96a4dd42bd624174b9e41ad30a25a896a2fa11b
SHA256e1987d8ee2fa5ba9f47a7117f448fa9b1f644320da5aab7e3598c82efcc58a2b
SHA51275fee83852d42e58db6a820f4208410b6c68534945729a11db25fccd94d11b6339e48f11519843c5003d41a6d7d54cfd79d5b8f98577c07d49cec37b27bcdcf0
-
MD5
b986bce8339d59229284138f854de71d
SHA1c96a4dd42bd624174b9e41ad30a25a896a2fa11b
SHA256e1987d8ee2fa5ba9f47a7117f448fa9b1f644320da5aab7e3598c82efcc58a2b
SHA51275fee83852d42e58db6a820f4208410b6c68534945729a11db25fccd94d11b6339e48f11519843c5003d41a6d7d54cfd79d5b8f98577c07d49cec37b27bcdcf0
-
MD5
b986bce8339d59229284138f854de71d
SHA1c96a4dd42bd624174b9e41ad30a25a896a2fa11b
SHA256e1987d8ee2fa5ba9f47a7117f448fa9b1f644320da5aab7e3598c82efcc58a2b
SHA51275fee83852d42e58db6a820f4208410b6c68534945729a11db25fccd94d11b6339e48f11519843c5003d41a6d7d54cfd79d5b8f98577c07d49cec37b27bcdcf0