Analysis
-
max time kernel
119s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:03
Static task
static1
Behavioral task
behavioral1
Sample
13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe
Resource
win10v2004-en-20220112
General
-
Target
13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe
-
Size
36KB
-
MD5
763f4de9ebd8b9d2da3094321a5e8560
-
SHA1
8870f9fd795361a8f84546a577fd93c0617b0f85
-
SHA256
13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876
-
SHA512
22f2add19e9e48f1632c8915881b6d51f8d25ba81750d3d6c255f2ee9589dbbd19c6547e579e028f3cf1ed94efc5f76f8e142e3bf9e9162a1b9db57c573aaeb1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1180 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1552 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exepid process 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exedescription pid process Token: SeIncBasePriorityPrivilege 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.execmd.exedescription pid process target process PID 800 wrote to memory of 1180 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe MediaCenter.exe PID 800 wrote to memory of 1552 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe cmd.exe PID 800 wrote to memory of 1552 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe cmd.exe PID 800 wrote to memory of 1552 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe cmd.exe PID 800 wrote to memory of 1552 800 13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe cmd.exe PID 1552 wrote to memory of 988 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 988 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 988 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 988 1552 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe"C:\Users\Admin\AppData\Local\Temp\13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13cb2ea433d574afb734ddc6261c1767e31c8f76cdfdd83d54da78b6a2944876.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d48cd7af804bfddfb84b4cee0b8d6008
SHA136331af0eb8666d93f89bba848e75e7e5a5ba102
SHA2568f43003fc6761099f5acf40fd64686a96bee9a0e9ece7a1d8249eb63ba841659
SHA512cf92e01ddf63fafabb9794d260cc3e0411a6741662ab891cecbf10fb0034dd4afabe9dd51be4311341a3cdb73fdfb9a90c4b9be9e88440e2672f5fa57ed42e86
-
MD5
d48cd7af804bfddfb84b4cee0b8d6008
SHA136331af0eb8666d93f89bba848e75e7e5a5ba102
SHA2568f43003fc6761099f5acf40fd64686a96bee9a0e9ece7a1d8249eb63ba841659
SHA512cf92e01ddf63fafabb9794d260cc3e0411a6741662ab891cecbf10fb0034dd4afabe9dd51be4311341a3cdb73fdfb9a90c4b9be9e88440e2672f5fa57ed42e86
-
MD5
d48cd7af804bfddfb84b4cee0b8d6008
SHA136331af0eb8666d93f89bba848e75e7e5a5ba102
SHA2568f43003fc6761099f5acf40fd64686a96bee9a0e9ece7a1d8249eb63ba841659
SHA512cf92e01ddf63fafabb9794d260cc3e0411a6741662ab891cecbf10fb0034dd4afabe9dd51be4311341a3cdb73fdfb9a90c4b9be9e88440e2672f5fa57ed42e86