Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe
Resource
win10v2004-en-20220113
General
-
Target
104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe
-
Size
60KB
-
MD5
793c2a18f594d4de41bae526c10170a3
-
SHA1
48f19d426dc3b362f7005b723e250f6d95d97776
-
SHA256
104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439
-
SHA512
763ab4579ff093b7d356df03d647bfff4bc75bfe9464efdb4e1ef39d283ab351af4050bc991f4eafa722105c4e97108f8f6547e81956e117dbb9cfb7939396b7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 960 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 512 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exepid process 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.execmd.exedescription pid process target process PID 1684 wrote to memory of 960 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe MediaCenter.exe PID 1684 wrote to memory of 960 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe MediaCenter.exe PID 1684 wrote to memory of 960 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe MediaCenter.exe PID 1684 wrote to memory of 960 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe MediaCenter.exe PID 1684 wrote to memory of 512 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe cmd.exe PID 1684 wrote to memory of 512 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe cmd.exe PID 1684 wrote to memory of 512 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe cmd.exe PID 1684 wrote to memory of 512 1684 104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe cmd.exe PID 512 wrote to memory of 1028 512 cmd.exe PING.EXE PID 512 wrote to memory of 1028 512 cmd.exe PING.EXE PID 512 wrote to memory of 1028 512 cmd.exe PING.EXE PID 512 wrote to memory of 1028 512 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe"C:\Users\Admin\AppData\Local\Temp\104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\104e00f47998a851baf54d3dae166d76daeacffd87233518d04a759ee8197439.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
765d235dfba0a702735c67326bed03a3
SHA10a7821540832cd8a48319e14b8eae5b0002ceaec
SHA256c2e490ebacee72b1a5dc63122e46e88b3e65d1794f3cabeb464da5f069287208
SHA512ac6c5aa5a782ab92ce4bbb71ebee2ef49940df1b51cd783ec88daa528a21d0f7c6246ebfbb63fd2941fad851f7d627334809abef4108c2fa5f78a677ac985f51
-
MD5
765d235dfba0a702735c67326bed03a3
SHA10a7821540832cd8a48319e14b8eae5b0002ceaec
SHA256c2e490ebacee72b1a5dc63122e46e88b3e65d1794f3cabeb464da5f069287208
SHA512ac6c5aa5a782ab92ce4bbb71ebee2ef49940df1b51cd783ec88daa528a21d0f7c6246ebfbb63fd2941fad851f7d627334809abef4108c2fa5f78a677ac985f51
-
MD5
765d235dfba0a702735c67326bed03a3
SHA10a7821540832cd8a48319e14b8eae5b0002ceaec
SHA256c2e490ebacee72b1a5dc63122e46e88b3e65d1794f3cabeb464da5f069287208
SHA512ac6c5aa5a782ab92ce4bbb71ebee2ef49940df1b51cd783ec88daa528a21d0f7c6246ebfbb63fd2941fad851f7d627334809abef4108c2fa5f78a677ac985f51