Analysis
-
max time kernel
153s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe
Resource
win10v2004-en-20220112
General
-
Target
104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe
-
Size
36KB
-
MD5
330b0b314049b71af71e25078f6c345b
-
SHA1
56f34dd1fccb161df6a47b4b1baf5f0fe215bce7
-
SHA256
104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576
-
SHA512
6c3e4578d28eee2feab141351e0c6db1211fc030eb12e3a4275528e226e33573f7d54d7958e69561df248e7d4a49d3a41f7fb37fcaca59118f6b8552db051ab3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1632 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exepid process 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exedescription pid process Token: SeIncBasePriorityPrivilege 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.execmd.exedescription pid process target process PID 1556 wrote to memory of 1632 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe MediaCenter.exe PID 1556 wrote to memory of 744 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe cmd.exe PID 1556 wrote to memory of 744 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe cmd.exe PID 1556 wrote to memory of 744 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe cmd.exe PID 1556 wrote to memory of 744 1556 104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe cmd.exe PID 744 wrote to memory of 948 744 cmd.exe PING.EXE PID 744 wrote to memory of 948 744 cmd.exe PING.EXE PID 744 wrote to memory of 948 744 cmd.exe PING.EXE PID 744 wrote to memory of 948 744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe"C:\Users\Admin\AppData\Local\Temp\104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\104a154b5a51b73a7677b578cf572a3bd548dff8bda1f904dcfeb96edfc80576.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6bc295e66c8e57c7278419d7b5a2c085
SHA16a7e87ac7624857cc4c861017e4c072d6b97b0c2
SHA2568f4067e336ea6f8bfcb694204c247ddb3280bb1cc6d0d532f20af8ea8dffbf43
SHA5121baebc971f3cbacb4755716474e9eeda65bdc5c619f791f69d3df8c92262d86d7d00da2fbabea0582fb8a679c2d059f4b6b7b1e04ffd177d03a3e439c28c3660
-
MD5
6bc295e66c8e57c7278419d7b5a2c085
SHA16a7e87ac7624857cc4c861017e4c072d6b97b0c2
SHA2568f4067e336ea6f8bfcb694204c247ddb3280bb1cc6d0d532f20af8ea8dffbf43
SHA5121baebc971f3cbacb4755716474e9eeda65bdc5c619f791f69d3df8c92262d86d7d00da2fbabea0582fb8a679c2d059f4b6b7b1e04ffd177d03a3e439c28c3660
-
MD5
6bc295e66c8e57c7278419d7b5a2c085
SHA16a7e87ac7624857cc4c861017e4c072d6b97b0c2
SHA2568f4067e336ea6f8bfcb694204c247ddb3280bb1cc6d0d532f20af8ea8dffbf43
SHA5121baebc971f3cbacb4755716474e9eeda65bdc5c619f791f69d3df8c92262d86d7d00da2fbabea0582fb8a679c2d059f4b6b7b1e04ffd177d03a3e439c28c3660