Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe
Resource
win10v2004-en-20220113
General
-
Target
10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe
-
Size
58KB
-
MD5
ab481ca1139b5ea186335a34e7afa826
-
SHA1
7f1f194878e96c6e2f9a9a7000fd4ff287253fd1
-
SHA256
10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742
-
SHA512
9a64331615a8d75bb192756b9c20363760167fa52d0010ee3f47a368e5c5499ce6211b35d76c2cfd26622b2ff1e17a39d4d210538fa67c60758ba62f857119e3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 792 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exepid process 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exedescription pid process Token: SeIncBasePriorityPrivilege 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.execmd.exedescription pid process target process PID 1648 wrote to memory of 1636 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe MediaCenter.exe PID 1648 wrote to memory of 792 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe cmd.exe PID 1648 wrote to memory of 792 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe cmd.exe PID 1648 wrote to memory of 792 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe cmd.exe PID 1648 wrote to memory of 792 1648 10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe cmd.exe PID 792 wrote to memory of 336 792 cmd.exe PING.EXE PID 792 wrote to memory of 336 792 cmd.exe PING.EXE PID 792 wrote to memory of 336 792 cmd.exe PING.EXE PID 792 wrote to memory of 336 792 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe"C:\Users\Admin\AppData\Local\Temp\10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10002d557807cbe17bc9a1daf7945299bfbb8a0b7b2b098a7ee489091d755742.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
896ace6264352e29fff0ecc56318c36e
SHA177669a7059d6bef665a34d93729c298248d00c4c
SHA256ed8490818cd9aa3f93bc6aa7d87d731b53b5caa54933ecd0c519e407202fdf70
SHA512d2586676e4e19f6d58b26cc85ba51d79a3a78e2bbcc34875bbd69483a4c0fc088e01a142476c4910c592fe2d3dc9342509423ee5c93a970b7f835b485a0386cc
-
MD5
896ace6264352e29fff0ecc56318c36e
SHA177669a7059d6bef665a34d93729c298248d00c4c
SHA256ed8490818cd9aa3f93bc6aa7d87d731b53b5caa54933ecd0c519e407202fdf70
SHA512d2586676e4e19f6d58b26cc85ba51d79a3a78e2bbcc34875bbd69483a4c0fc088e01a142476c4910c592fe2d3dc9342509423ee5c93a970b7f835b485a0386cc
-
MD5
896ace6264352e29fff0ecc56318c36e
SHA177669a7059d6bef665a34d93729c298248d00c4c
SHA256ed8490818cd9aa3f93bc6aa7d87d731b53b5caa54933ecd0c519e407202fdf70
SHA512d2586676e4e19f6d58b26cc85ba51d79a3a78e2bbcc34875bbd69483a4c0fc088e01a142476c4910c592fe2d3dc9342509423ee5c93a970b7f835b485a0386cc