Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:24
Static task
static1
Behavioral task
behavioral1
Sample
10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe
Resource
win10v2004-en-20220112
General
-
Target
10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe
-
Size
60KB
-
MD5
33939f038c83d028b1caa2071b72c4ab
-
SHA1
9e0dadc79e2fb6d5086c4cec7a0a7aed45edeecc
-
SHA256
10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824
-
SHA512
dda606933fa6b07f36d6de3ffc2bd9c319cb87e0bc389490143f38c681da28d7c493b76b94da74920cc5f418ed0bc61dbd72f5c670ca77a0a538db4b9276c775
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1660 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1928 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exepid process 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exedescription pid process Token: SeIncBasePriorityPrivilege 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.execmd.exedescription pid process target process PID 1488 wrote to memory of 1660 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe MediaCenter.exe PID 1488 wrote to memory of 1928 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe cmd.exe PID 1488 wrote to memory of 1928 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe cmd.exe PID 1488 wrote to memory of 1928 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe cmd.exe PID 1488 wrote to memory of 1928 1488 10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe cmd.exe PID 1928 wrote to memory of 2012 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 2012 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 2012 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 2012 1928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe"C:\Users\Admin\AppData\Local\Temp\10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10135933395f5437f8adb9a54bf8bfb681b5e5328a2affbdfd40c8ad47db7824.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
74d51d50966c3892afd317adc747e893
SHA15e54f0c8b8c85b8545c2a75479857401c7072bcf
SHA2561087cd92b0616df820c2ac739d9d5704970729732963f63c7f2f58b5474c6713
SHA512faedd09e9162e3ee7f2aae0ba7ac391f53802fb348472ebfabf9cd4dd37bb61f11f090fddc5299cdfb981ad799a80f4b7f95b8f57735cf80b9a113f3c3c9b7a9
-
MD5
74d51d50966c3892afd317adc747e893
SHA15e54f0c8b8c85b8545c2a75479857401c7072bcf
SHA2561087cd92b0616df820c2ac739d9d5704970729732963f63c7f2f58b5474c6713
SHA512faedd09e9162e3ee7f2aae0ba7ac391f53802fb348472ebfabf9cd4dd37bb61f11f090fddc5299cdfb981ad799a80f4b7f95b8f57735cf80b9a113f3c3c9b7a9
-
MD5
74d51d50966c3892afd317adc747e893
SHA15e54f0c8b8c85b8545c2a75479857401c7072bcf
SHA2561087cd92b0616df820c2ac739d9d5704970729732963f63c7f2f58b5474c6713
SHA512faedd09e9162e3ee7f2aae0ba7ac391f53802fb348472ebfabf9cd4dd37bb61f11f090fddc5299cdfb981ad799a80f4b7f95b8f57735cf80b9a113f3c3c9b7a9