Analysis
-
max time kernel
152s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:16
Static task
static1
Behavioral task
behavioral1
Sample
1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe
Resource
win10v2004-en-20220112
General
-
Target
1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe
-
Size
58KB
-
MD5
383bae5891ea3ddd6d6204b487ade385
-
SHA1
9b99c339ca887bde39a007acba537263e47b15ef
-
SHA256
1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7
-
SHA512
f8d52f5a8bc9126042723195585c806edf57f3ad2f7680d301094f0bc1d97a5c65715ea631a2dce7082a6fc96b707d56c4b0513edbb08a9016821fe43f47dd09
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exepid process 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.execmd.exedescription pid process target process PID 1608 wrote to memory of 1588 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe MediaCenter.exe PID 1608 wrote to memory of 1996 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe cmd.exe PID 1608 wrote to memory of 1996 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe cmd.exe PID 1608 wrote to memory of 1996 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe cmd.exe PID 1608 wrote to memory of 1996 1608 1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe cmd.exe PID 1996 wrote to memory of 1840 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1840 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1840 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1840 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe"C:\Users\Admin\AppData\Local\Temp\1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1073c13e4098f968103ade1ab7330b9d45fbbe0c8d9d00daeb70753e27867af7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
93b064d849c00d8ca569e7cf52359204
SHA11fd563c914d28a719d1e97e0872b13cab4bdcc74
SHA2568162bacb91dd4c1d82cafecb14726c95900b04ab9a723e13b50bae275c684917
SHA51217b7eaf3ed23a60484770b997aec56c9bbb8f0e0a0c36533b49a36375c2e40b95166324b24553235a520bf014b26a88ff0a5553c480a6033568f9359a4adb14a
-
MD5
93b064d849c00d8ca569e7cf52359204
SHA11fd563c914d28a719d1e97e0872b13cab4bdcc74
SHA2568162bacb91dd4c1d82cafecb14726c95900b04ab9a723e13b50bae275c684917
SHA51217b7eaf3ed23a60484770b997aec56c9bbb8f0e0a0c36533b49a36375c2e40b95166324b24553235a520bf014b26a88ff0a5553c480a6033568f9359a4adb14a
-
MD5
93b064d849c00d8ca569e7cf52359204
SHA11fd563c914d28a719d1e97e0872b13cab4bdcc74
SHA2568162bacb91dd4c1d82cafecb14726c95900b04ab9a723e13b50bae275c684917
SHA51217b7eaf3ed23a60484770b997aec56c9bbb8f0e0a0c36533b49a36375c2e40b95166324b24553235a520bf014b26a88ff0a5553c480a6033568f9359a4adb14a