Analysis
-
max time kernel
137s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:00
Static task
static1
Behavioral task
behavioral1
Sample
13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe
Resource
win10v2004-en-20220112
General
-
Target
13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe
-
Size
36KB
-
MD5
3bd58ac01cfdb88ad7e604d045ad435e
-
SHA1
ca7a73e38dc3d4dc4d9e11943431103d97f4cda8
-
SHA256
13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa
-
SHA512
d1e1504869605b7f51b6c6b8714f045d87327d955ea829ac74deffcbbe105a24a5fbce2baa707198c7f0ffdd7014cf5d01cbf3f5c1d8ddb99f7c50ff5ea55bfb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 360 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exepid process 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exedescription pid process Token: SeIncBasePriorityPrivilege 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.execmd.exedescription pid process target process PID 820 wrote to memory of 516 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe MediaCenter.exe PID 820 wrote to memory of 516 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe MediaCenter.exe PID 820 wrote to memory of 516 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe MediaCenter.exe PID 820 wrote to memory of 516 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe MediaCenter.exe PID 820 wrote to memory of 360 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe cmd.exe PID 820 wrote to memory of 360 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe cmd.exe PID 820 wrote to memory of 360 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe cmd.exe PID 820 wrote to memory of 360 820 13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe cmd.exe PID 360 wrote to memory of 2000 360 cmd.exe PING.EXE PID 360 wrote to memory of 2000 360 cmd.exe PING.EXE PID 360 wrote to memory of 2000 360 cmd.exe PING.EXE PID 360 wrote to memory of 2000 360 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe"C:\Users\Admin\AppData\Local\Temp\13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13db3261a611244d7d25ce092eae104e194c8ff083426bd705e57b7a0d03b3fa.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
445f4c15837a698de585eb534de9bed8
SHA13f3e20930d91f0097a31dc828784c9d7aa8f8705
SHA2562e2a8f860daad146f9f8a48bab17550cf5ba4e0bc2935dbff63a3855347ee7bb
SHA5125dddd27424f5deb88bec9eaf0750f618017635384e294e9e2b14e4c45f2755fea3c2794d5ad0ee39bc8c454bd7fd4a650d775fa48fdcd5d30f2678ec373cad91
-
MD5
445f4c15837a698de585eb534de9bed8
SHA13f3e20930d91f0097a31dc828784c9d7aa8f8705
SHA2562e2a8f860daad146f9f8a48bab17550cf5ba4e0bc2935dbff63a3855347ee7bb
SHA5125dddd27424f5deb88bec9eaf0750f618017635384e294e9e2b14e4c45f2755fea3c2794d5ad0ee39bc8c454bd7fd4a650d775fa48fdcd5d30f2678ec373cad91
-
MD5
445f4c15837a698de585eb534de9bed8
SHA13f3e20930d91f0097a31dc828784c9d7aa8f8705
SHA2562e2a8f860daad146f9f8a48bab17550cf5ba4e0bc2935dbff63a3855347ee7bb
SHA5125dddd27424f5deb88bec9eaf0750f618017635384e294e9e2b14e4c45f2755fea3c2794d5ad0ee39bc8c454bd7fd4a650d775fa48fdcd5d30f2678ec373cad91