Analysis
-
max time kernel
139s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:50
Static task
static1
Behavioral task
behavioral1
Sample
118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe
Resource
win10v2004-en-20220112
General
-
Target
118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe
-
Size
36KB
-
MD5
79f0a40b1d942bef765508f16947b0ac
-
SHA1
42d7bf61659f69ab0810685d6d439af56ba890f4
-
SHA256
118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173
-
SHA512
0e22912928b71114e1c885c72448a2ed6093ea3e57eb213b813196a80de8c74cb012fd270efb5d34693ab077434bea1911d762d5d402337351a533263d15c040
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1148 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1076 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exepid process 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exedescription pid process Token: SeIncBasePriorityPrivilege 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.execmd.exedescription pid process target process PID 1768 wrote to memory of 1148 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe MediaCenter.exe PID 1768 wrote to memory of 1076 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe cmd.exe PID 1768 wrote to memory of 1076 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe cmd.exe PID 1768 wrote to memory of 1076 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe cmd.exe PID 1768 wrote to memory of 1076 1768 118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe cmd.exe PID 1076 wrote to memory of 672 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 672 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 672 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 672 1076 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe"C:\Users\Admin\AppData\Local\Temp\118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\118747584f3180dca6d39c8d5effc69d7359828fd6d667477163d5af71363173.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
74e52b84d1050da9c417535aeabc1c7c
SHA10df45ac4d3daab103e452511248d1ee973243c2e
SHA2567fa074dd495a42f6feb22c8daface20c45b85ce186d3bdb6e748cb5d9ea376a3
SHA512edbd4209cb60ffa65a6e3754395da5733cb20eb35f23ea180d3ee12cd6c8dd019e9f5a4b485f861ea975e5eb1b6913f371df2998066785cf8ebe531177606240
-
MD5
74e52b84d1050da9c417535aeabc1c7c
SHA10df45ac4d3daab103e452511248d1ee973243c2e
SHA2567fa074dd495a42f6feb22c8daface20c45b85ce186d3bdb6e748cb5d9ea376a3
SHA512edbd4209cb60ffa65a6e3754395da5733cb20eb35f23ea180d3ee12cd6c8dd019e9f5a4b485f861ea975e5eb1b6913f371df2998066785cf8ebe531177606240
-
MD5
74e52b84d1050da9c417535aeabc1c7c
SHA10df45ac4d3daab103e452511248d1ee973243c2e
SHA2567fa074dd495a42f6feb22c8daface20c45b85ce186d3bdb6e748cb5d9ea376a3
SHA512edbd4209cb60ffa65a6e3754395da5733cb20eb35f23ea180d3ee12cd6c8dd019e9f5a4b485f861ea975e5eb1b6913f371df2998066785cf8ebe531177606240