Analysis
-
max time kernel
134s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe
Resource
win10v2004-en-20220113
General
-
Target
11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe
-
Size
58KB
-
MD5
5d46c664cec4df80e5eb76a615de2ca8
-
SHA1
6bc5301505705c4b37e05db1ed7e2fc97dfa419b
-
SHA256
11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6
-
SHA512
7e54d73964d2e40ec585a4c090da2ac5a784e38be44967cbb92bede9cedd3d3d92bb11e8793d00599f6447922f1787c278c5f5af9bccda1c39e45aedb2364bd6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1064 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exepid process 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exedescription pid process Token: SeIncBasePriorityPrivilege 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.execmd.exedescription pid process target process PID 972 wrote to memory of 528 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe MediaCenter.exe PID 972 wrote to memory of 528 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe MediaCenter.exe PID 972 wrote to memory of 528 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe MediaCenter.exe PID 972 wrote to memory of 528 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe MediaCenter.exe PID 972 wrote to memory of 1064 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe cmd.exe PID 972 wrote to memory of 1064 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe cmd.exe PID 972 wrote to memory of 1064 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe cmd.exe PID 972 wrote to memory of 1064 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe cmd.exe PID 1064 wrote to memory of 2020 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 2020 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 2020 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 2020 1064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe"C:\Users\Admin\AppData\Local\Temp\11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cce02fae8d2902401a64f8bea1e1c015
SHA10e441a4147228b41df96965b683a531a2d13ce8d
SHA256c572716b85e11ac0d201fecc1f8291cfe7437226e2647e96616ff3bc6087ebbc
SHA51279a395cb3c833f143bdbc20de74548f578c156dfa6c7787d90805718dbcbcc060e3d82feece121c1e5989d18dada2ba782eb5d3f81be97992fb258c16d64fa7f
-
MD5
cce02fae8d2902401a64f8bea1e1c015
SHA10e441a4147228b41df96965b683a531a2d13ce8d
SHA256c572716b85e11ac0d201fecc1f8291cfe7437226e2647e96616ff3bc6087ebbc
SHA51279a395cb3c833f143bdbc20de74548f578c156dfa6c7787d90805718dbcbcc060e3d82feece121c1e5989d18dada2ba782eb5d3f81be97992fb258c16d64fa7f
-
MD5
cce02fae8d2902401a64f8bea1e1c015
SHA10e441a4147228b41df96965b683a531a2d13ce8d
SHA256c572716b85e11ac0d201fecc1f8291cfe7437226e2647e96616ff3bc6087ebbc
SHA51279a395cb3c833f143bdbc20de74548f578c156dfa6c7787d90805718dbcbcc060e3d82feece121c1e5989d18dada2ba782eb5d3f81be97992fb258c16d64fa7f