Analysis
-
max time kernel
120s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:50
Static task
static1
Behavioral task
behavioral1
Sample
11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe
Resource
win10v2004-en-20220112
General
-
Target
11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe
-
Size
36KB
-
MD5
b1508280266e1fcebaf353583fcf64ef
-
SHA1
d62141ee2574f15290b86ea0138c198348462059
-
SHA256
11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948
-
SHA512
cdb649044aab904affa7c65cc617d8c3cf04c13c4b8105b835b0faa8214802cecf8f16a71b1ffdd1a06a0f696469c87c21784f9860093afc811254e986da2692
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exepid process 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exedescription pid process Token: SeIncBasePriorityPrivilege 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.execmd.exedescription pid process target process PID 812 wrote to memory of 948 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe MediaCenter.exe PID 812 wrote to memory of 948 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe MediaCenter.exe PID 812 wrote to memory of 948 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe MediaCenter.exe PID 812 wrote to memory of 948 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe MediaCenter.exe PID 812 wrote to memory of 1084 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe cmd.exe PID 812 wrote to memory of 1084 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe cmd.exe PID 812 wrote to memory of 1084 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe cmd.exe PID 812 wrote to memory of 1084 812 11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe cmd.exe PID 1084 wrote to memory of 872 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 872 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 872 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 872 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe"C:\Users\Admin\AppData\Local\Temp\11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11913274e3af25a7afd64723858881bafca23e85a4213a03e64e2438bf86d948.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b06adf2ba688f9f2da7ea8ca45d610b8
SHA1203677df0fdbf6fe9320c8e2892b67e819854300
SHA2565025d9d757f36c06eef75c7a952aaca65be5db1cb7bf2beab5e2dabb260a389a
SHA512643c8f56efc2eede167b78b92792e07031be513738197d69791509ff32a8e9208b8af618b6aef2f64aa0c6c8907743ce600b74ab31c2287a7def0a3b0fc13803
-
MD5
b06adf2ba688f9f2da7ea8ca45d610b8
SHA1203677df0fdbf6fe9320c8e2892b67e819854300
SHA2565025d9d757f36c06eef75c7a952aaca65be5db1cb7bf2beab5e2dabb260a389a
SHA512643c8f56efc2eede167b78b92792e07031be513738197d69791509ff32a8e9208b8af618b6aef2f64aa0c6c8907743ce600b74ab31c2287a7def0a3b0fc13803
-
MD5
b06adf2ba688f9f2da7ea8ca45d610b8
SHA1203677df0fdbf6fe9320c8e2892b67e819854300
SHA2565025d9d757f36c06eef75c7a952aaca65be5db1cb7bf2beab5e2dabb260a389a
SHA512643c8f56efc2eede167b78b92792e07031be513738197d69791509ff32a8e9208b8af618b6aef2f64aa0c6c8907743ce600b74ab31c2287a7def0a3b0fc13803