Analysis
-
max time kernel
143s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:16
Static task
static1
Behavioral task
behavioral1
Sample
1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe
Resource
win10v2004-en-20220112
General
-
Target
1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe
-
Size
36KB
-
MD5
f515e08de5cbced19bc8edfb03643077
-
SHA1
8c45e4cc5515be7353ca9a897593219edcf93b8a
-
SHA256
1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401
-
SHA512
9e0cdfbaf6427655d8a5681c8d47872fde31eb02a24e17eba422f135a9e382ac5ecacb644c3932dbe5e78a8257e9bea43cd441e4ce39bd0067ab8e2bd7489bb2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1716 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 788 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exepid process 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exedescription pid process Token: SeIncBasePriorityPrivilege 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.execmd.exedescription pid process target process PID 860 wrote to memory of 1716 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe MediaCenter.exe PID 860 wrote to memory of 788 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe cmd.exe PID 860 wrote to memory of 788 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe cmd.exe PID 860 wrote to memory of 788 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe cmd.exe PID 860 wrote to memory of 788 860 1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe cmd.exe PID 788 wrote to memory of 960 788 cmd.exe PING.EXE PID 788 wrote to memory of 960 788 cmd.exe PING.EXE PID 788 wrote to memory of 960 788 cmd.exe PING.EXE PID 788 wrote to memory of 960 788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe"C:\Users\Admin\AppData\Local\Temp\1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1072c154656b10ecb3ae3020bf95d8394e4ce5d3e41e40265c7a3d8ada05c401.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1e677da1c769aa2b94d131f6967fe0cf
SHA1ed5a12ded3279b1f64f3ece1535143dd80982554
SHA2567ed58d1dd7721e998b950fb9518e63d66cb327094613f39ec256d56d6396a3cb
SHA5129fa6480628e6a234c0b7d1c3543c0034d757511b0fc07ead4b5e3fe2fdda6dab6cb012cdd589a66e8e4d4db4802908a41af5c0ed57136c72600a2ff8cc48edcb
-
MD5
1e677da1c769aa2b94d131f6967fe0cf
SHA1ed5a12ded3279b1f64f3ece1535143dd80982554
SHA2567ed58d1dd7721e998b950fb9518e63d66cb327094613f39ec256d56d6396a3cb
SHA5129fa6480628e6a234c0b7d1c3543c0034d757511b0fc07ead4b5e3fe2fdda6dab6cb012cdd589a66e8e4d4db4802908a41af5c0ed57136c72600a2ff8cc48edcb
-
MD5
1e677da1c769aa2b94d131f6967fe0cf
SHA1ed5a12ded3279b1f64f3ece1535143dd80982554
SHA2567ed58d1dd7721e998b950fb9518e63d66cb327094613f39ec256d56d6396a3cb
SHA5129fa6480628e6a234c0b7d1c3543c0034d757511b0fc07ead4b5e3fe2fdda6dab6cb012cdd589a66e8e4d4db4802908a41af5c0ed57136c72600a2ff8cc48edcb