Analysis
-
max time kernel
144s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:40
Static task
static1
Behavioral task
behavioral1
Sample
12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe
Resource
win10v2004-en-20220112
General
-
Target
12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe
-
Size
36KB
-
MD5
867bec25af72ca40691b8787b0f23755
-
SHA1
1fbba14c91fd6168dc14fd7a00f5e39da44b411c
-
SHA256
12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95
-
SHA512
1a0c1d7b570e6adc5580ea0836501365cf173e68ca173a3c9aeed1086c567a433a3f06e9a7dafd4a072e083560828a585aebdfafd697f986d6d90a88b8556882
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 916 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exepid process 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exedescription pid process Token: SeIncBasePriorityPrivilege 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.execmd.exedescription pid process target process PID 288 wrote to memory of 1664 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe MediaCenter.exe PID 288 wrote to memory of 916 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe cmd.exe PID 288 wrote to memory of 916 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe cmd.exe PID 288 wrote to memory of 916 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe cmd.exe PID 288 wrote to memory of 916 288 12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe cmd.exe PID 916 wrote to memory of 1944 916 cmd.exe PING.EXE PID 916 wrote to memory of 1944 916 cmd.exe PING.EXE PID 916 wrote to memory of 1944 916 cmd.exe PING.EXE PID 916 wrote to memory of 1944 916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe"C:\Users\Admin\AppData\Local\Temp\12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12044fabcc285190709e99bcf297c5186ec2c81d4d5cd788acb33dd4fe8a4b95.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e0a660a9c9860ec0618bc362c281e742
SHA16354a17967a169c5b04e80a7464c5abe8508e58a
SHA2564ab4b5043884ed5b63bfc8812a3e27e67bcd7a8a2fdaf54d9bdc5cf7fc0461e4
SHA51214a192f5c86f061d2b4ed1274b86d046462bfc70c885d3d4e20060d9144e5e8dabd908c599609bea49cbcde5302dbaa10480e38d5e59a75a9ea52a7166e8c5d0
-
MD5
e0a660a9c9860ec0618bc362c281e742
SHA16354a17967a169c5b04e80a7464c5abe8508e58a
SHA2564ab4b5043884ed5b63bfc8812a3e27e67bcd7a8a2fdaf54d9bdc5cf7fc0461e4
SHA51214a192f5c86f061d2b4ed1274b86d046462bfc70c885d3d4e20060d9144e5e8dabd908c599609bea49cbcde5302dbaa10480e38d5e59a75a9ea52a7166e8c5d0
-
MD5
e0a660a9c9860ec0618bc362c281e742
SHA16354a17967a169c5b04e80a7464c5abe8508e58a
SHA2564ab4b5043884ed5b63bfc8812a3e27e67bcd7a8a2fdaf54d9bdc5cf7fc0461e4
SHA51214a192f5c86f061d2b4ed1274b86d046462bfc70c885d3d4e20060d9144e5e8dabd908c599609bea49cbcde5302dbaa10480e38d5e59a75a9ea52a7166e8c5d0