Analysis
-
max time kernel
117s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe
Resource
win10v2004-en-20220113
General
-
Target
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe
-
Size
36KB
-
MD5
1e5d82d0f9ab8f66d3734c5025d6e9e3
-
SHA1
43a4c686b232f76cf884f9891c0bcf64783e65fe
-
SHA256
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534
-
SHA512
02e0205b4a6972bce5905516ae78697e6dc5cd366b514b012dbd0b4e75fc4458cc8b554fd2c574a49536fae5ef5676b5a07ab2ffc455fc84c12a856d656a889e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exepid process 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exedescription pid process Token: SeIncBasePriorityPrivilege 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.execmd.exedescription pid process target process PID 1072 wrote to memory of 1884 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe MediaCenter.exe PID 1072 wrote to memory of 1884 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe MediaCenter.exe PID 1072 wrote to memory of 1884 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe MediaCenter.exe PID 1072 wrote to memory of 1884 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe MediaCenter.exe PID 1072 wrote to memory of 392 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe cmd.exe PID 1072 wrote to memory of 392 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe cmd.exe PID 1072 wrote to memory of 392 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe cmd.exe PID 1072 wrote to memory of 392 1072 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe cmd.exe PID 392 wrote to memory of 1992 392 cmd.exe PING.EXE PID 392 wrote to memory of 1992 392 cmd.exe PING.EXE PID 392 wrote to memory of 1992 392 cmd.exe PING.EXE PID 392 wrote to memory of 1992 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe"C:\Users\Admin\AppData\Local\Temp\122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
280f176dc867d55d138b96ed6378134a
SHA1cf989db871a7f88bc669005e647c145b965bd225
SHA2562ace5d575f25dc6d6da8d3170921f469ff9f03858b58e83e9561fe036baeab6b
SHA512d939f2d1f09950630e317a3e49ba7e370bc06820b46b4e1211594639c42841ab4cbbfcc8c7a0d7561494688420d2bcda563edb59835b77d8a4238c808e424d2c
-
MD5
280f176dc867d55d138b96ed6378134a
SHA1cf989db871a7f88bc669005e647c145b965bd225
SHA2562ace5d575f25dc6d6da8d3170921f469ff9f03858b58e83e9561fe036baeab6b
SHA512d939f2d1f09950630e317a3e49ba7e370bc06820b46b4e1211594639c42841ab4cbbfcc8c7a0d7561494688420d2bcda563edb59835b77d8a4238c808e424d2c
-
MD5
280f176dc867d55d138b96ed6378134a
SHA1cf989db871a7f88bc669005e647c145b965bd225
SHA2562ace5d575f25dc6d6da8d3170921f469ff9f03858b58e83e9561fe036baeab6b
SHA512d939f2d1f09950630e317a3e49ba7e370bc06820b46b4e1211594639c42841ab4cbbfcc8c7a0d7561494688420d2bcda563edb59835b77d8a4238c808e424d2c