Analysis
-
max time kernel
162s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe
Resource
win10v2004-en-20220112
General
-
Target
12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe
-
Size
35KB
-
MD5
f640997f50eb0d46efc1e8278f9478c3
-
SHA1
382a16c273096771972c8d651f0721113b4034ef
-
SHA256
12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4
-
SHA512
f80f231958be8557c570388c4bef2c792a5d7a84fd6c5850842a3e5c59403a47ec0c4209933755846d2ae0a0cedf63731a31a7c8afeaa7db65179bc3a5580120
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exepid process 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exedescription pid process Token: SeIncBasePriorityPrivilege 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.execmd.exedescription pid process target process PID 1468 wrote to memory of 1288 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe MediaCenter.exe PID 1468 wrote to memory of 1032 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe cmd.exe PID 1468 wrote to memory of 1032 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe cmd.exe PID 1468 wrote to memory of 1032 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe cmd.exe PID 1468 wrote to memory of 1032 1468 12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe cmd.exe PID 1032 wrote to memory of 1504 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1504 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1504 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1504 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe"C:\Users\Admin\AppData\Local\Temp\12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12337e76955cadf935e3a19f4020b27ee01c0a4effff2fc13d5ea85a614545a4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1767b9bcfca479ce88aa4a72385ffeb6
SHA12b5ac8088e69dcd33c375abe078ec93be8bafb36
SHA25689f56917b083b3c059baf17e43a66915e3dc073cee444bb8f4db9545691dc8fc
SHA512689fa84d5acbef2cbae28261af913f24e0509345447d42f017f5b6356d536f3e24ed4683442b51deafad6c6c6ba1899b92931b8f448708df1ad41ee347f626f8
-
MD5
1767b9bcfca479ce88aa4a72385ffeb6
SHA12b5ac8088e69dcd33c375abe078ec93be8bafb36
SHA25689f56917b083b3c059baf17e43a66915e3dc073cee444bb8f4db9545691dc8fc
SHA512689fa84d5acbef2cbae28261af913f24e0509345447d42f017f5b6356d536f3e24ed4683442b51deafad6c6c6ba1899b92931b8f448708df1ad41ee347f626f8
-
MD5
1767b9bcfca479ce88aa4a72385ffeb6
SHA12b5ac8088e69dcd33c375abe078ec93be8bafb36
SHA25689f56917b083b3c059baf17e43a66915e3dc073cee444bb8f4db9545691dc8fc
SHA512689fa84d5acbef2cbae28261af913f24e0509345447d42f017f5b6356d536f3e24ed4683442b51deafad6c6c6ba1899b92931b8f448708df1ad41ee347f626f8