Analysis
-
max time kernel
122s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:39
Static task
static1
Behavioral task
behavioral1
Sample
1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe
Resource
win10v2004-en-20220113
General
-
Target
1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe
-
Size
58KB
-
MD5
9d2f68cc0c04f37a3fee065911976650
-
SHA1
b3464f3424a54c61243e9cb528538eb601a76c72
-
SHA256
1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97
-
SHA512
cdd7795649e763c19540481f8bc77e71de0daceed4a41c3b3b1d5eda0dfab2629bb6f26081cc91cb8da475e8c8f3b165efccc3b3a15e4a02952c36f4083545fd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1476 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exepid process 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exedescription pid process Token: SeIncBasePriorityPrivilege 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.execmd.exedescription pid process target process PID 1512 wrote to memory of 1744 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe MediaCenter.exe PID 1512 wrote to memory of 1476 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe cmd.exe PID 1512 wrote to memory of 1476 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe cmd.exe PID 1512 wrote to memory of 1476 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe cmd.exe PID 1512 wrote to memory of 1476 1512 1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe cmd.exe PID 1476 wrote to memory of 1820 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 1820 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 1820 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 1820 1476 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe"C:\Users\Admin\AppData\Local\Temp\1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1219cd5a2f05c63ecfd9692076e77b9515ec07e1cb376b2826552429c014cf97.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a8dca832a7db1b0343f4c6ab74c12d72
SHA10d3746a30bd2d5106900adcb693c0d4bb508e8f8
SHA25653b194c07d8bdb141091c0f445e5ec910d858a8a084905eaeb8e5947b7ec334c
SHA5122009a522c8991ad1cfe4f19baa3445fb21f5147676facc3e3cd29e3252ea4e948c568da2c5de33a52610cb5edde5a262406cf717c8ded9ec28f86c6160b33ba9
-
MD5
a8dca832a7db1b0343f4c6ab74c12d72
SHA10d3746a30bd2d5106900adcb693c0d4bb508e8f8
SHA25653b194c07d8bdb141091c0f445e5ec910d858a8a084905eaeb8e5947b7ec334c
SHA5122009a522c8991ad1cfe4f19baa3445fb21f5147676facc3e3cd29e3252ea4e948c568da2c5de33a52610cb5edde5a262406cf717c8ded9ec28f86c6160b33ba9
-
MD5
a8dca832a7db1b0343f4c6ab74c12d72
SHA10d3746a30bd2d5106900adcb693c0d4bb508e8f8
SHA25653b194c07d8bdb141091c0f445e5ec910d858a8a084905eaeb8e5947b7ec334c
SHA5122009a522c8991ad1cfe4f19baa3445fb21f5147676facc3e3cd29e3252ea4e948c568da2c5de33a52610cb5edde5a262406cf717c8ded9ec28f86c6160b33ba9