Analysis
-
max time kernel
149s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:18
Static task
static1
Behavioral task
behavioral1
Sample
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe
Resource
win10v2004-en-20220113
General
-
Target
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe
-
Size
60KB
-
MD5
0658906bf06ae7d4875a36f7fcd313ab
-
SHA1
1e4ccdd90eb4f80cad88ef1a699b62bd11158a83
-
SHA256
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650
-
SHA512
60d99632218d73ffb202537962e800be6afe1cb8a5e61983466430f6b96f49541ddfaae1306be80e2a5a0865b4a56a6f212501bc49fec505b137cc848f713491
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exepid process 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exedescription pid process Token: SeIncBasePriorityPrivilege 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe MediaCenter.exe PID 956 wrote to memory of 516 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe MediaCenter.exe PID 956 wrote to memory of 516 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe MediaCenter.exe PID 956 wrote to memory of 516 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe MediaCenter.exe PID 956 wrote to memory of 1172 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe cmd.exe PID 956 wrote to memory of 1172 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe cmd.exe PID 956 wrote to memory of 1172 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe cmd.exe PID 956 wrote to memory of 1172 956 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe cmd.exe PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe"C:\Users\Admin\AppData\Local\Temp\1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
373f31041f48c6ae68debfb20c34d52d
SHA1ddadae2a7a6696f0b332306c33f74701ccdd7e76
SHA256fda4bdf1c1f1152768dc7d4e6ca5edf6f64e2b36d9cf374c539e8041422aae4e
SHA512d38b6dc0effc8fd402fc29234a15cb1d3266b3514b850ba01c9f39fbb2741c5477c7972a612ef8a75b1c9bf832c74a6c0f23ca1d92d7cb897c845465997f2a85
-
MD5
373f31041f48c6ae68debfb20c34d52d
SHA1ddadae2a7a6696f0b332306c33f74701ccdd7e76
SHA256fda4bdf1c1f1152768dc7d4e6ca5edf6f64e2b36d9cf374c539e8041422aae4e
SHA512d38b6dc0effc8fd402fc29234a15cb1d3266b3514b850ba01c9f39fbb2741c5477c7972a612ef8a75b1c9bf832c74a6c0f23ca1d92d7cb897c845465997f2a85
-
MD5
373f31041f48c6ae68debfb20c34d52d
SHA1ddadae2a7a6696f0b332306c33f74701ccdd7e76
SHA256fda4bdf1c1f1152768dc7d4e6ca5edf6f64e2b36d9cf374c539e8041422aae4e
SHA512d38b6dc0effc8fd402fc29234a15cb1d3266b3514b850ba01c9f39fbb2741c5477c7972a612ef8a75b1c9bf832c74a6c0f23ca1d92d7cb897c845465997f2a85