Analysis
-
max time kernel
117s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:23
Static task
static1
Behavioral task
behavioral1
Sample
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe
Resource
win10v2004-en-20220113
General
-
Target
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe
-
Size
35KB
-
MD5
d4ede4ee7b47d0134bcba66182f04c2a
-
SHA1
14e7b70de341667d276c3a5253e21b9e3a6b8987
-
SHA256
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe
-
SHA512
e41f6dc6978fd076c72b4331b7f1e5b5e85b5996bdc3bfa733c78ecf35860b593eb480a19481785612d423d233eb7b1cc4b60e599bd27c675731e1af864ae3a1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1968 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exepid process 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exedescription pid process Token: SeIncBasePriorityPrivilege 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.execmd.exedescription pid process target process PID 812 wrote to memory of 320 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe MediaCenter.exe PID 812 wrote to memory of 320 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe MediaCenter.exe PID 812 wrote to memory of 320 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe MediaCenter.exe PID 812 wrote to memory of 320 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe MediaCenter.exe PID 812 wrote to memory of 1968 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe cmd.exe PID 812 wrote to memory of 1968 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe cmd.exe PID 812 wrote to memory of 1968 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe cmd.exe PID 812 wrote to memory of 1968 812 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe cmd.exe PID 1968 wrote to memory of 1068 1968 cmd.exe PING.EXE PID 1968 wrote to memory of 1068 1968 cmd.exe PING.EXE PID 1968 wrote to memory of 1068 1968 cmd.exe PING.EXE PID 1968 wrote to memory of 1068 1968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe"C:\Users\Admin\AppData\Local\Temp\102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
14f8998517d57b054d7ee6b1f50d66bb
SHA1c07b8a4f4bd9c6ef29884b71abecda8fb8c9e30b
SHA25617f53c52fdb9254634432586c5707c4f3cddec9cc7a08775aecc99484b26c78a
SHA51279a5065e8b5da95fdf6b41701fd439a40d0af15b9d157e7a0b26119b83752a4bf4f3475a720cd60e86c13eba632f1267e8a2fcf301ff0e213c9d7bb4630561fc
-
MD5
14f8998517d57b054d7ee6b1f50d66bb
SHA1c07b8a4f4bd9c6ef29884b71abecda8fb8c9e30b
SHA25617f53c52fdb9254634432586c5707c4f3cddec9cc7a08775aecc99484b26c78a
SHA51279a5065e8b5da95fdf6b41701fd439a40d0af15b9d157e7a0b26119b83752a4bf4f3475a720cd60e86c13eba632f1267e8a2fcf301ff0e213c9d7bb4630561fc
-
MD5
14f8998517d57b054d7ee6b1f50d66bb
SHA1c07b8a4f4bd9c6ef29884b71abecda8fb8c9e30b
SHA25617f53c52fdb9254634432586c5707c4f3cddec9cc7a08775aecc99484b26c78a
SHA51279a5065e8b5da95fdf6b41701fd439a40d0af15b9d157e7a0b26119b83752a4bf4f3475a720cd60e86c13eba632f1267e8a2fcf301ff0e213c9d7bb4630561fc