Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:44
Static task
static1
Behavioral task
behavioral1
Sample
11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe
Resource
win10v2004-en-20220112
General
-
Target
11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe
-
Size
35KB
-
MD5
173c6eefd48a4f674d51ec90b05b1ce1
-
SHA1
7a19afe5f1f81fb1759c856e7f688fc97e5f6e14
-
SHA256
11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463
-
SHA512
c174d877e9eb4cc4a8d0908f1f0ea43d0648ac67eb43261ac72756bbf58a16d292ffeac285b074597391d2c5bcae37de0f7755e061e73f57e3795eea0223ef1a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1428 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exepid process 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exedescription pid process Token: SeIncBasePriorityPrivilege 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.execmd.exedescription pid process target process PID 1448 wrote to memory of 1428 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe MediaCenter.exe PID 1448 wrote to memory of 1084 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe cmd.exe PID 1448 wrote to memory of 1084 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe cmd.exe PID 1448 wrote to memory of 1084 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe cmd.exe PID 1448 wrote to memory of 1084 1448 11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe cmd.exe PID 1084 wrote to memory of 1788 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1788 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1788 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1788 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe"C:\Users\Admin\AppData\Local\Temp\11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11d5d2708b2b5e442f3619bd92c26860c7e96196ee45bdc68c29515fa05a2463.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1494051f8b33167de64360d289db5b68
SHA11b66a293223a4dc6524aa1a466230d10b38b0e28
SHA256d687c6459d55a3b514bda04b3710007e1a0dd52ce0202b9e0b0e318db93ed8f6
SHA512914615922821079bfb59da3a15c44f189245ec5db28915c49962b5b886d17056ca7470b0329746181601dc1157f566a982047fa45bf4fc747f2d5e81150eb12b
-
MD5
1494051f8b33167de64360d289db5b68
SHA11b66a293223a4dc6524aa1a466230d10b38b0e28
SHA256d687c6459d55a3b514bda04b3710007e1a0dd52ce0202b9e0b0e318db93ed8f6
SHA512914615922821079bfb59da3a15c44f189245ec5db28915c49962b5b886d17056ca7470b0329746181601dc1157f566a982047fa45bf4fc747f2d5e81150eb12b
-
MD5
1494051f8b33167de64360d289db5b68
SHA11b66a293223a4dc6524aa1a466230d10b38b0e28
SHA256d687c6459d55a3b514bda04b3710007e1a0dd52ce0202b9e0b0e318db93ed8f6
SHA512914615922821079bfb59da3a15c44f189245ec5db28915c49962b5b886d17056ca7470b0329746181601dc1157f566a982047fa45bf4fc747f2d5e81150eb12b