Analysis
-
max time kernel
122s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe
Resource
win10v2004-en-20220113
General
-
Target
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe
-
Size
58KB
-
MD5
249216117351b63e73bde41c89c05101
-
SHA1
54e8ab5175b2bdd0529822eff2ac6a462beda7f1
-
SHA256
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1
-
SHA512
692803862600601122027e7992da3627422e57acb174f50e51d8e260654d7e3ea222689cc134aa74842f0a0d411b3f93857bf479e79aa86055fece5536cb3b5c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exepid process 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exedescription pid process Token: SeIncBasePriorityPrivilege 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.execmd.exedescription pid process target process PID 948 wrote to memory of 2032 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe MediaCenter.exe PID 948 wrote to memory of 2032 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe MediaCenter.exe PID 948 wrote to memory of 2032 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe MediaCenter.exe PID 948 wrote to memory of 2032 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe MediaCenter.exe PID 948 wrote to memory of 1084 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe cmd.exe PID 948 wrote to memory of 1084 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe cmd.exe PID 948 wrote to memory of 1084 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe cmd.exe PID 948 wrote to memory of 1084 948 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe cmd.exe PID 1084 wrote to memory of 1500 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1500 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1500 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1500 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe"C:\Users\Admin\AppData\Local\Temp\11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3ca90ba3c407f3804991668d39ef1682
SHA1c0b11dd1d720b9da69c94e6306235c4e67df771a
SHA256d622de2d84478249f19dfd813505962b4152bab6e7e42b1dcdc3b2e79f8c6e3d
SHA512ef3022fdb77104e4d0f3873c89d1b9371dd62c529a6e90a4e93b575c0bb65756539b9eb1be90dfd4e8a3f7be24ab68bf4b8b29f2cf8da105dbc25cf3d1ca4da3
-
MD5
3ca90ba3c407f3804991668d39ef1682
SHA1c0b11dd1d720b9da69c94e6306235c4e67df771a
SHA256d622de2d84478249f19dfd813505962b4152bab6e7e42b1dcdc3b2e79f8c6e3d
SHA512ef3022fdb77104e4d0f3873c89d1b9371dd62c529a6e90a4e93b575c0bb65756539b9eb1be90dfd4e8a3f7be24ab68bf4b8b29f2cf8da105dbc25cf3d1ca4da3
-
MD5
3ca90ba3c407f3804991668d39ef1682
SHA1c0b11dd1d720b9da69c94e6306235c4e67df771a
SHA256d622de2d84478249f19dfd813505962b4152bab6e7e42b1dcdc3b2e79f8c6e3d
SHA512ef3022fdb77104e4d0f3873c89d1b9371dd62c529a6e90a4e93b575c0bb65756539b9eb1be90dfd4e8a3f7be24ab68bf4b8b29f2cf8da105dbc25cf3d1ca4da3