Analysis
-
max time kernel
159s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:04
Static task
static1
Behavioral task
behavioral1
Sample
13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe
Resource
win10v2004-en-20220113
General
-
Target
13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe
-
Size
60KB
-
MD5
fae4ddf3a8b7ac2263fe3230a972ed64
-
SHA1
f71a2e648432968fff21b8e32b61a292dce6edc4
-
SHA256
13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0
-
SHA512
47fcb99b39cf68696ba32a7525a99574e712c67c15d017a719cf939ddfc8e09572811a52dcdf4ae1357468f09b771f44caee6686c2fac8bea1a5389b24712172
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exepid process 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exedescription pid process Token: SeIncBasePriorityPrivilege 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.execmd.exedescription pid process target process PID 1692 wrote to memory of 612 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe MediaCenter.exe PID 1692 wrote to memory of 612 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe MediaCenter.exe PID 1692 wrote to memory of 612 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe MediaCenter.exe PID 1692 wrote to memory of 612 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe MediaCenter.exe PID 1692 wrote to memory of 432 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe cmd.exe PID 1692 wrote to memory of 432 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe cmd.exe PID 1692 wrote to memory of 432 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe cmd.exe PID 1692 wrote to memory of 432 1692 13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe cmd.exe PID 432 wrote to memory of 1280 432 cmd.exe PING.EXE PID 432 wrote to memory of 1280 432 cmd.exe PING.EXE PID 432 wrote to memory of 1280 432 cmd.exe PING.EXE PID 432 wrote to memory of 1280 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe"C:\Users\Admin\AppData\Local\Temp\13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13c1028fa708003078211b11f59e2765c2f0ffa3e61ce784d43d94e7942161a0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1a0bf143111660370872fba294aa7540
SHA19e93b7ec92c4bab9a23d21e8d9337984da439bee
SHA256d38221e3f8133dd1c89612bddd531d6f5e2226f07582cc1e313cce7a2b6297a0
SHA51285977abb75b117d80c51783dea89f611a71301e11c2cd53421aa7c5973991ceb15cacbc77f5f15125e14cff0d46e772196f7894eb55ccd4d3f82a5cc661489ec
-
MD5
1a0bf143111660370872fba294aa7540
SHA19e93b7ec92c4bab9a23d21e8d9337984da439bee
SHA256d38221e3f8133dd1c89612bddd531d6f5e2226f07582cc1e313cce7a2b6297a0
SHA51285977abb75b117d80c51783dea89f611a71301e11c2cd53421aa7c5973991ceb15cacbc77f5f15125e14cff0d46e772196f7894eb55ccd4d3f82a5cc661489ec
-
MD5
1a0bf143111660370872fba294aa7540
SHA19e93b7ec92c4bab9a23d21e8d9337984da439bee
SHA256d38221e3f8133dd1c89612bddd531d6f5e2226f07582cc1e313cce7a2b6297a0
SHA51285977abb75b117d80c51783dea89f611a71301e11c2cd53421aa7c5973991ceb15cacbc77f5f15125e14cff0d46e772196f7894eb55ccd4d3f82a5cc661489ec