Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:23
Static task
static1
Behavioral task
behavioral1
Sample
1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe
Resource
win10v2004-en-20220112
General
-
Target
1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe
-
Size
35KB
-
MD5
b0485d4ea0bf57669f73eb699b243802
-
SHA1
1c80bc5a4c8457bede6ce6ebbf0d797d51878a3a
-
SHA256
1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24
-
SHA512
a021c92a03ecea396371e322131eaa6eb9e1572020e165f0da4a1ce5a72d563f0cd69886a8aa8c76f0f06f475d0ac9efc38adb0a4925633bba5631ee6f6e0a52
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exepid process 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exedescription pid process Token: SeIncBasePriorityPrivilege 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.execmd.exedescription pid process target process PID 744 wrote to memory of 288 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe MediaCenter.exe PID 744 wrote to memory of 288 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe MediaCenter.exe PID 744 wrote to memory of 288 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe MediaCenter.exe PID 744 wrote to memory of 288 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe MediaCenter.exe PID 744 wrote to memory of 432 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe cmd.exe PID 744 wrote to memory of 432 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe cmd.exe PID 744 wrote to memory of 432 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe cmd.exe PID 744 wrote to memory of 432 744 1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe cmd.exe PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe"C:\Users\Admin\AppData\Local\Temp\1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1021c155b561d64e142af32a9589260a5d25afc95653b9ded156bdfb04a12c24.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aeb8dc8bb7e74737abc033a59382688b
SHA10589625d50a3df1456ca0c4ce6f9c87a68bdc60a
SHA2562f4a483d3d4e59bea1e4e6171304e670cd1d4b3e93f2d3d7389e0489e3428dbe
SHA512df1ab8659afe4c74553cd63a151446e79cf230aa5f1b7fb48524bade1ce653819952b16409ce5596509f4bee276efb0c6fdae548e7afe076e55f061800a5f1d5
-
MD5
aeb8dc8bb7e74737abc033a59382688b
SHA10589625d50a3df1456ca0c4ce6f9c87a68bdc60a
SHA2562f4a483d3d4e59bea1e4e6171304e670cd1d4b3e93f2d3d7389e0489e3428dbe
SHA512df1ab8659afe4c74553cd63a151446e79cf230aa5f1b7fb48524bade1ce653819952b16409ce5596509f4bee276efb0c6fdae548e7afe076e55f061800a5f1d5
-
MD5
aeb8dc8bb7e74737abc033a59382688b
SHA10589625d50a3df1456ca0c4ce6f9c87a68bdc60a
SHA2562f4a483d3d4e59bea1e4e6171304e670cd1d4b3e93f2d3d7389e0489e3428dbe
SHA512df1ab8659afe4c74553cd63a151446e79cf230aa5f1b7fb48524bade1ce653819952b16409ce5596509f4bee276efb0c6fdae548e7afe076e55f061800a5f1d5