Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:43
Static task
static1
Behavioral task
behavioral1
Sample
11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe
Resource
win10v2004-en-20220113
General
-
Target
11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe
-
Size
36KB
-
MD5
d026b4439f5b727086c18051c824c515
-
SHA1
507975bfb1fd05d3dce314ab63ea47e1742c8996
-
SHA256
11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033
-
SHA512
27695eb303ab7202d8959b2e7218b3f664d83da7c27cebc402d3805c956a0cd832ff6275c4d1adb3b1b51cf81316514c0eec2ff7cdca32316d0626f9c60afa55
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1568 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 816 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exepid process 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exedescription pid process Token: SeIncBasePriorityPrivilege 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.execmd.exedescription pid process target process PID 1692 wrote to memory of 1568 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe MediaCenter.exe PID 1692 wrote to memory of 816 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe cmd.exe PID 1692 wrote to memory of 816 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe cmd.exe PID 1692 wrote to memory of 816 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe cmd.exe PID 1692 wrote to memory of 816 1692 11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe cmd.exe PID 816 wrote to memory of 1780 816 cmd.exe PING.EXE PID 816 wrote to memory of 1780 816 cmd.exe PING.EXE PID 816 wrote to memory of 1780 816 cmd.exe PING.EXE PID 816 wrote to memory of 1780 816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe"C:\Users\Admin\AppData\Local\Temp\11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11e07c76df85cf3ac1c51896722509dafb87ae1627befa692db7790659ce0033.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
be7bd93ce1118b6b4ea18917c560c10b
SHA19015357f37b174c4f5757a454a1811c177084f8a
SHA256427af00f497edfc5cb2fed70daaac8dbbd00157ea9e9642cb58774553f1b75c4
SHA5126b120e2f6122c7b29083ab67c4d648a77f0da3dc5367aae99d631e31ba906f8ad3d9e81a0d25010eef19955a1b35818a29824c2440eafb51992802b5bf33b951
-
MD5
be7bd93ce1118b6b4ea18917c560c10b
SHA19015357f37b174c4f5757a454a1811c177084f8a
SHA256427af00f497edfc5cb2fed70daaac8dbbd00157ea9e9642cb58774553f1b75c4
SHA5126b120e2f6122c7b29083ab67c4d648a77f0da3dc5367aae99d631e31ba906f8ad3d9e81a0d25010eef19955a1b35818a29824c2440eafb51992802b5bf33b951
-
MD5
be7bd93ce1118b6b4ea18917c560c10b
SHA19015357f37b174c4f5757a454a1811c177084f8a
SHA256427af00f497edfc5cb2fed70daaac8dbbd00157ea9e9642cb58774553f1b75c4
SHA5126b120e2f6122c7b29083ab67c4d648a77f0da3dc5367aae99d631e31ba906f8ad3d9e81a0d25010eef19955a1b35818a29824c2440eafb51992802b5bf33b951