Analysis
-
max time kernel
154s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe
Resource
win10v2004-en-20220113
General
-
Target
104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe
-
Size
36KB
-
MD5
bddec481304bfd7c5d512493f0fcd53a
-
SHA1
4aab3bf838085512b3acacd69aecfc11748577f9
-
SHA256
104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc
-
SHA512
09f8ff69623b235957052660b32d859d86ee64cd44a95e71512d831339e909320f8af2672aeebea18db5c5175370a830a490b5c675efbe515cc42e00f3da486e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 952 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exepid process 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exedescription pid process Token: SeIncBasePriorityPrivilege 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.execmd.exedescription pid process target process PID 1616 wrote to memory of 1472 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe MediaCenter.exe PID 1616 wrote to memory of 952 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe cmd.exe PID 1616 wrote to memory of 952 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe cmd.exe PID 1616 wrote to memory of 952 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe cmd.exe PID 1616 wrote to memory of 952 1616 104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe cmd.exe PID 952 wrote to memory of 1496 952 cmd.exe PING.EXE PID 952 wrote to memory of 1496 952 cmd.exe PING.EXE PID 952 wrote to memory of 1496 952 cmd.exe PING.EXE PID 952 wrote to memory of 1496 952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe"C:\Users\Admin\AppData\Local\Temp\104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\104927054be96c4fd99c43d93aa08fc67166e5f28a9c99a51679d0a5e96866dc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2a553d7f64a007b2763ccaaa89897787
SHA1d8a68c84d902029ef9958cd907ecb88d9e2ec9ac
SHA25697719e431f3ba0b31fd4b11fee5488bfb4037d846cf7593ae6a25b9600185480
SHA51240ceef8b71ecca4c5dbc0f228bcad899a3fda68fe76bd1c40b63b0fc02b2652d4626373cdae0e082118d53816691243c1cacb91494b89b38058d9d6f4c6abb9f
-
MD5
2a553d7f64a007b2763ccaaa89897787
SHA1d8a68c84d902029ef9958cd907ecb88d9e2ec9ac
SHA25697719e431f3ba0b31fd4b11fee5488bfb4037d846cf7593ae6a25b9600185480
SHA51240ceef8b71ecca4c5dbc0f228bcad899a3fda68fe76bd1c40b63b0fc02b2652d4626373cdae0e082118d53816691243c1cacb91494b89b38058d9d6f4c6abb9f
-
MD5
2a553d7f64a007b2763ccaaa89897787
SHA1d8a68c84d902029ef9958cd907ecb88d9e2ec9ac
SHA25697719e431f3ba0b31fd4b11fee5488bfb4037d846cf7593ae6a25b9600185480
SHA51240ceef8b71ecca4c5dbc0f228bcad899a3fda68fe76bd1c40b63b0fc02b2652d4626373cdae0e082118d53816691243c1cacb91494b89b38058d9d6f4c6abb9f