Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:38
Static task
static1
Behavioral task
behavioral1
Sample
1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe
Resource
win10v2004-en-20220113
General
-
Target
1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe
-
Size
36KB
-
MD5
5ebec1aab492bb2ac5bc81c07b9f2744
-
SHA1
5225218f3c7e02edf658534d13ad4044a34efd71
-
SHA256
1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5
-
SHA512
58a8245957f381e672902f74f28612a18b71b0d3e2099cd25fd88037b3333c524788519d6ffd0e5d1874844f6f852786a7495cccb54a45194265912cb94f0256
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1500 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1940 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exepid process 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exedescription pid process Token: SeIncBasePriorityPrivilege 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.execmd.exedescription pid process target process PID 748 wrote to memory of 1500 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe MediaCenter.exe PID 748 wrote to memory of 1500 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe MediaCenter.exe PID 748 wrote to memory of 1500 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe MediaCenter.exe PID 748 wrote to memory of 1500 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe MediaCenter.exe PID 748 wrote to memory of 1940 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe cmd.exe PID 748 wrote to memory of 1940 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe cmd.exe PID 748 wrote to memory of 1940 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe cmd.exe PID 748 wrote to memory of 1940 748 1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe cmd.exe PID 1940 wrote to memory of 1596 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1596 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1596 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1596 1940 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe"C:\Users\Admin\AppData\Local\Temp\1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1222881b02f2b36597627ee45298f153c5baeaa9c285f85313552decb0200ad5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c191cc71e927716179551cfb106e5b9f
SHA12b61494605261891934901bf2000afe84ba30b4a
SHA256a4e4b7a78e5f8f0cd7d13df9e7260c942b5bc65ec09f4aa258c20e5fe8b7ab36
SHA512ce30f0c57189b864602e5508480415180d117d2ed9b63ce528579631a7bf59761d0e4e5dcd0cee1bf619f7f1e93003ec13e794440c351279ef7c6cca6a0b0226
-
MD5
c191cc71e927716179551cfb106e5b9f
SHA12b61494605261891934901bf2000afe84ba30b4a
SHA256a4e4b7a78e5f8f0cd7d13df9e7260c942b5bc65ec09f4aa258c20e5fe8b7ab36
SHA512ce30f0c57189b864602e5508480415180d117d2ed9b63ce528579631a7bf59761d0e4e5dcd0cee1bf619f7f1e93003ec13e794440c351279ef7c6cca6a0b0226
-
MD5
c191cc71e927716179551cfb106e5b9f
SHA12b61494605261891934901bf2000afe84ba30b4a
SHA256a4e4b7a78e5f8f0cd7d13df9e7260c942b5bc65ec09f4aa258c20e5fe8b7ab36
SHA512ce30f0c57189b864602e5508480415180d117d2ed9b63ce528579631a7bf59761d0e4e5dcd0cee1bf619f7f1e93003ec13e794440c351279ef7c6cca6a0b0226