Analysis
-
max time kernel
128s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:19
Static task
static1
Behavioral task
behavioral1
Sample
130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe
Resource
win10v2004-en-20220112
General
-
Target
130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe
-
Size
35KB
-
MD5
2cd2809857984142aa483a2ed7b020ca
-
SHA1
01851edce949169a114632e45b78602ffcf8654a
-
SHA256
130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db
-
SHA512
790127b139bf4e1a17829330089220bb52eef950fce0f212c38518c0090e0a79ab9acf835af130fec6e84d70dd1192dbdb24e603b0d2caa8f48261e246a90894
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1452 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1880 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exepid process 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exedescription pid process Token: SeIncBasePriorityPrivilege 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.execmd.exedescription pid process target process PID 1048 wrote to memory of 1452 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe MediaCenter.exe PID 1048 wrote to memory of 1452 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe MediaCenter.exe PID 1048 wrote to memory of 1452 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe MediaCenter.exe PID 1048 wrote to memory of 1452 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe MediaCenter.exe PID 1048 wrote to memory of 1880 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe cmd.exe PID 1048 wrote to memory of 1880 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe cmd.exe PID 1048 wrote to memory of 1880 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe cmd.exe PID 1048 wrote to memory of 1880 1048 130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe cmd.exe PID 1880 wrote to memory of 1076 1880 cmd.exe PING.EXE PID 1880 wrote to memory of 1076 1880 cmd.exe PING.EXE PID 1880 wrote to memory of 1076 1880 cmd.exe PING.EXE PID 1880 wrote to memory of 1076 1880 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe"C:\Users\Admin\AppData\Local\Temp\130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\130de4aef3eef8186b12d5884730d2762098cd29de0bbfcf2fa772ac85bac7db.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bf624fb16a6d3b12335d5ae04b162f7c
SHA15a75191cd7c1afa9c614652a6c173abb501d526c
SHA2562d03c3fb1db918f1be8f2bd80501abdb9bdcde8b7f134a4df8250c8e22c13712
SHA512dcc9df0a81620c62608e91a147dd766ede9310422e0de30a92671df118ba557ba9db96f7c3bbd1d3f27dfa7998c9ca2f4c3fc7dfddc6624947acd36fded107db
-
MD5
bf624fb16a6d3b12335d5ae04b162f7c
SHA15a75191cd7c1afa9c614652a6c173abb501d526c
SHA2562d03c3fb1db918f1be8f2bd80501abdb9bdcde8b7f134a4df8250c8e22c13712
SHA512dcc9df0a81620c62608e91a147dd766ede9310422e0de30a92671df118ba557ba9db96f7c3bbd1d3f27dfa7998c9ca2f4c3fc7dfddc6624947acd36fded107db
-
MD5
bf624fb16a6d3b12335d5ae04b162f7c
SHA15a75191cd7c1afa9c614652a6c173abb501d526c
SHA2562d03c3fb1db918f1be8f2bd80501abdb9bdcde8b7f134a4df8250c8e22c13712
SHA512dcc9df0a81620c62608e91a147dd766ede9310422e0de30a92671df118ba557ba9db96f7c3bbd1d3f27dfa7998c9ca2f4c3fc7dfddc6624947acd36fded107db