Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:01
Static task
static1
Behavioral task
behavioral1
Sample
13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe
Resource
win10v2004-en-20220113
General
-
Target
13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe
-
Size
58KB
-
MD5
ec7c00a93805b520f5ec22b495c0fc9a
-
SHA1
4d7e6ff28e86403f9f50935c87becbf90f40a327
-
SHA256
13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c
-
SHA512
ef75e7e9d48771ab38b5eca7dc137a2a98c2677009bd31648ffebb64a4240595526f546f37fcb68d4ea3fecfc9086e41359fc96e22ff3126ce4ecda5da5bbfe6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1448 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exepid process 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.execmd.exedescription pid process target process PID 1592 wrote to memory of 1448 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe MediaCenter.exe PID 1592 wrote to memory of 396 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe cmd.exe PID 1592 wrote to memory of 396 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe cmd.exe PID 1592 wrote to memory of 396 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe cmd.exe PID 1592 wrote to memory of 396 1592 13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe cmd.exe PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe"C:\Users\Admin\AppData\Local\Temp\13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13d6b60648202a8bc0abfce590cdb4ba69c1367abde789f470c62f6316466d0c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b248eafaf4686004c1b9a5d9172bb636
SHA1e90881aceeaa3338a4e65836e0a07c9c025d7b71
SHA256b3f72312c932acdf487301e10640301b1de12631b135aa05d43d6b7efea53f0d
SHA512c2dbfcd2bc5a9e5c6e0859695a5ba39d32a968f375c8ce6ad8449725537bb9705aa1b89e1a4fe2299012b9906d3b0b5cdc4e57495b398f3fba9c5f7c178d6714
-
MD5
b248eafaf4686004c1b9a5d9172bb636
SHA1e90881aceeaa3338a4e65836e0a07c9c025d7b71
SHA256b3f72312c932acdf487301e10640301b1de12631b135aa05d43d6b7efea53f0d
SHA512c2dbfcd2bc5a9e5c6e0859695a5ba39d32a968f375c8ce6ad8449725537bb9705aa1b89e1a4fe2299012b9906d3b0b5cdc4e57495b398f3fba9c5f7c178d6714
-
MD5
b248eafaf4686004c1b9a5d9172bb636
SHA1e90881aceeaa3338a4e65836e0a07c9c025d7b71
SHA256b3f72312c932acdf487301e10640301b1de12631b135aa05d43d6b7efea53f0d
SHA512c2dbfcd2bc5a9e5c6e0859695a5ba39d32a968f375c8ce6ad8449725537bb9705aa1b89e1a4fe2299012b9906d3b0b5cdc4e57495b398f3fba9c5f7c178d6714