Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:19
Static task
static1
Behavioral task
behavioral1
Sample
13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe
Resource
win10v2004-en-20220112
General
-
Target
13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe
-
Size
35KB
-
MD5
543933c1e674a9c15b3b4c7aa3bc60fd
-
SHA1
18e24703f429656acb34406d1d7e556cb8001889
-
SHA256
13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d
-
SHA512
a065749136060b6ae572dfe90fb2bb48074df9514402d306c7bd56f3c57cb57f30f38d87e0bb2ab8337fb1c474de80b7eefc30ad18ee6cb3e62719e5e6e40e00
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exepid process 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.execmd.exedescription pid process target process PID 1212 wrote to memory of 1684 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe MediaCenter.exe PID 1212 wrote to memory of 396 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe cmd.exe PID 1212 wrote to memory of 396 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe cmd.exe PID 1212 wrote to memory of 396 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe cmd.exe PID 1212 wrote to memory of 396 1212 13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe cmd.exe PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe"C:\Users\Admin\AppData\Local\Temp\13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13161bf2292ff2374fd6376929c10f7f44ddd1cda4a48da480702f672acb5d2d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5ff8f71bc33088770bb51134f3531158
SHA12d6e8ef89f4de3d67b42e471a7932a036f7ec72d
SHA25653ae4c546e7008d339d386c8bfbf4f1975c2b16d71e6648329aa76928dd6a4be
SHA512beea19c67023922069fc7d7c12c34cd1c82c353cf08280db31e476f239aae5a2c01d44d2e334d6222758719b16e99f74ef6cff01be24031e83dd2d8d93572432
-
MD5
5ff8f71bc33088770bb51134f3531158
SHA12d6e8ef89f4de3d67b42e471a7932a036f7ec72d
SHA25653ae4c546e7008d339d386c8bfbf4f1975c2b16d71e6648329aa76928dd6a4be
SHA512beea19c67023922069fc7d7c12c34cd1c82c353cf08280db31e476f239aae5a2c01d44d2e334d6222758719b16e99f74ef6cff01be24031e83dd2d8d93572432
-
MD5
5ff8f71bc33088770bb51134f3531158
SHA12d6e8ef89f4de3d67b42e471a7932a036f7ec72d
SHA25653ae4c546e7008d339d386c8bfbf4f1975c2b16d71e6648329aa76928dd6a4be
SHA512beea19c67023922069fc7d7c12c34cd1c82c353cf08280db31e476f239aae5a2c01d44d2e334d6222758719b16e99f74ef6cff01be24031e83dd2d8d93572432