Analysis
-
max time kernel
123s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:45
Static task
static1
Behavioral task
behavioral1
Sample
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
Resource
win10v2004-en-20220113
General
-
Target
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
-
Size
36KB
-
MD5
c73aa935834c45208544470f708fc841
-
SHA1
9d03d558350dd09dd58b70851c258a7e5a18e88a
-
SHA256
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073
-
SHA512
89e66a893855ff7ec2b2f3a94d2b5aac78f91213333d63a3cc2125faecd8be423fc74476ff116eee777b82e636f99a26ebde7d7451f59818712b38bdd8054f9f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exepid process 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exedescription pid process Token: SeIncBasePriorityPrivilege 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.execmd.exedescription pid process target process PID 1340 wrote to memory of 1656 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe MediaCenter.exe PID 1340 wrote to memory of 1528 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe cmd.exe PID 1340 wrote to memory of 1528 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe cmd.exe PID 1340 wrote to memory of 1528 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe cmd.exe PID 1340 wrote to memory of 1528 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe cmd.exe PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe"C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
830e4c39cfb1ee7f4ee1771fcbc5374b
SHA11cefa8b2c8a69c7ad77b431cb9961c50fafb479e
SHA2565b725aeb8738fa775181df0a3eca818c81f02598f699ba0d879891af54ca39d5
SHA5120aa2d8989b2b55ce70a72e334ec469e8905cb932b10aac776ca7c617903adc472a54fea2facab600aa87aff46a60b002a21ff1f92d24ae038477f007fe03c78e
-
MD5
830e4c39cfb1ee7f4ee1771fcbc5374b
SHA11cefa8b2c8a69c7ad77b431cb9961c50fafb479e
SHA2565b725aeb8738fa775181df0a3eca818c81f02598f699ba0d879891af54ca39d5
SHA5120aa2d8989b2b55ce70a72e334ec469e8905cb932b10aac776ca7c617903adc472a54fea2facab600aa87aff46a60b002a21ff1f92d24ae038477f007fe03c78e
-
MD5
830e4c39cfb1ee7f4ee1771fcbc5374b
SHA11cefa8b2c8a69c7ad77b431cb9961c50fafb479e
SHA2565b725aeb8738fa775181df0a3eca818c81f02598f699ba0d879891af54ca39d5
SHA5120aa2d8989b2b55ce70a72e334ec469e8905cb932b10aac776ca7c617903adc472a54fea2facab600aa87aff46a60b002a21ff1f92d24ae038477f007fe03c78e