Analysis
-
max time kernel
121s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:49
Static task
static1
Behavioral task
behavioral1
Sample
1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe
Resource
win10v2004-en-20220113
General
-
Target
1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe
-
Size
36KB
-
MD5
91ff2c73fefa0143a917008f0bf58b32
-
SHA1
28af41da524e737917228e24b636238051ee0302
-
SHA256
1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927
-
SHA512
b6aa6f0558fb592b503f1ba97975a61c6e247f7d9d3077effbaa6b7a5afbc87feb00a87e8c55f3f8a05547a6077649d84988bf186861d9c63b3dd2a62482a672
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exepid process 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exedescription pid process Token: SeIncBasePriorityPrivilege 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.execmd.exedescription pid process target process PID 1700 wrote to memory of 1552 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe MediaCenter.exe PID 1700 wrote to memory of 1072 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe cmd.exe PID 1700 wrote to memory of 1072 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe cmd.exe PID 1700 wrote to memory of 1072 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe cmd.exe PID 1700 wrote to memory of 1072 1700 1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe cmd.exe PID 1072 wrote to memory of 1124 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1124 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1124 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1124 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe"C:\Users\Admin\AppData\Local\Temp\1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1195e7f703113daed4c3d4427907b1bc5b9e6ff99cc92b9dbc8a41c20ffb7927.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a31d9062a843418314458a127bae9b83
SHA1fd62be953c93754bd39a301fbd530b21e3066b13
SHA25600a5d76e10d7ea6e762e4ad9a9ca364e1c6692af0bcddab2fc209db016bc849f
SHA512b78f3ceeaede0154537ab6355cef3fe9095fff377e85af1230f8b6bdeeef55b4995f7b982d4f6c483ac4d2a85e7227507e3643c026b90b01d2726b29eaf94c1e
-
MD5
a31d9062a843418314458a127bae9b83
SHA1fd62be953c93754bd39a301fbd530b21e3066b13
SHA25600a5d76e10d7ea6e762e4ad9a9ca364e1c6692af0bcddab2fc209db016bc849f
SHA512b78f3ceeaede0154537ab6355cef3fe9095fff377e85af1230f8b6bdeeef55b4995f7b982d4f6c483ac4d2a85e7227507e3643c026b90b01d2726b29eaf94c1e
-
MD5
a31d9062a843418314458a127bae9b83
SHA1fd62be953c93754bd39a301fbd530b21e3066b13
SHA25600a5d76e10d7ea6e762e4ad9a9ca364e1c6692af0bcddab2fc209db016bc849f
SHA512b78f3ceeaede0154537ab6355cef3fe9095fff377e85af1230f8b6bdeeef55b4995f7b982d4f6c483ac4d2a85e7227507e3643c026b90b01d2726b29eaf94c1e