Analysis
-
max time kernel
134s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:48
Static task
static1
Behavioral task
behavioral1
Sample
11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe
Resource
win10v2004-en-20220112
General
-
Target
11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe
-
Size
35KB
-
MD5
f60b26edbd92a2fc93ef380661162779
-
SHA1
63baf874b5eb0ed5433559ebed3d7d90915b31d9
-
SHA256
11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3
-
SHA512
e934d203950736714a90b578af604507bab3f9c744ed9d11a5bb0b42db071343cdc1e0920428f4e017e65c9ac53003e8107db2da0dd01fa3ccee7b65d3000ba7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2012 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exepid process 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exedescription pid process Token: SeIncBasePriorityPrivilege 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.execmd.exedescription pid process target process PID 740 wrote to memory of 1916 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe MediaCenter.exe PID 740 wrote to memory of 1916 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe MediaCenter.exe PID 740 wrote to memory of 1916 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe MediaCenter.exe PID 740 wrote to memory of 1916 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe MediaCenter.exe PID 740 wrote to memory of 2012 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe cmd.exe PID 740 wrote to memory of 2012 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe cmd.exe PID 740 wrote to memory of 2012 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe cmd.exe PID 740 wrote to memory of 2012 740 11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe cmd.exe PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe"C:\Users\Admin\AppData\Local\Temp\11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11a702e74917bf63670232f8405e3dd99cf649c5e3a51f987ae1dec6186ddfe3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1767b9bcfca479ce88aa4a72385ffeb6
SHA12b5ac8088e69dcd33c375abe078ec93be8bafb36
SHA25689f56917b083b3c059baf17e43a66915e3dc073cee444bb8f4db9545691dc8fc
SHA512689fa84d5acbef2cbae28261af913f24e0509345447d42f017f5b6356d536f3e24ed4683442b51deafad6c6c6ba1899b92931b8f448708df1ad41ee347f626f8
-
MD5
1767b9bcfca479ce88aa4a72385ffeb6
SHA12b5ac8088e69dcd33c375abe078ec93be8bafb36
SHA25689f56917b083b3c059baf17e43a66915e3dc073cee444bb8f4db9545691dc8fc
SHA512689fa84d5acbef2cbae28261af913f24e0509345447d42f017f5b6356d536f3e24ed4683442b51deafad6c6c6ba1899b92931b8f448708df1ad41ee347f626f8
-
MD5
1767b9bcfca479ce88aa4a72385ffeb6
SHA12b5ac8088e69dcd33c375abe078ec93be8bafb36
SHA25689f56917b083b3c059baf17e43a66915e3dc073cee444bb8f4db9545691dc8fc
SHA512689fa84d5acbef2cbae28261af913f24e0509345447d42f017f5b6356d536f3e24ed4683442b51deafad6c6c6ba1899b92931b8f448708df1ad41ee347f626f8