Analysis
-
max time kernel
120s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:51
Static task
static1
Behavioral task
behavioral1
Sample
117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe
Resource
win10v2004-en-20220113
General
-
Target
117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe
-
Size
58KB
-
MD5
928a7d496b6088de01f3998200118ca8
-
SHA1
41fc815989fdcb364000e8c42632962072e9a31c
-
SHA256
117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab
-
SHA512
7a1aa2dccf744496a5c08ef77c387160f7eac208553e53dfeebc521cd5934da7e76137a23e5f9bf1416a32067fc7949b91fd1b4871f7817d92fb268f7a9fec19
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1360 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 648 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exepid process 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.execmd.exedescription pid process target process PID 1728 wrote to memory of 1360 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe MediaCenter.exe PID 1728 wrote to memory of 648 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe cmd.exe PID 1728 wrote to memory of 648 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe cmd.exe PID 1728 wrote to memory of 648 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe cmd.exe PID 1728 wrote to memory of 648 1728 117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe cmd.exe PID 648 wrote to memory of 1072 648 cmd.exe PING.EXE PID 648 wrote to memory of 1072 648 cmd.exe PING.EXE PID 648 wrote to memory of 1072 648 cmd.exe PING.EXE PID 648 wrote to memory of 1072 648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe"C:\Users\Admin\AppData\Local\Temp\117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\117da95ff930aa6f958a2b5224d4954a5f119df1c3b4688124ed0399eae177ab.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
041aecc9f2afcda7d8a7ab4d23a99fad
SHA186d8a77375e0959a97b7e58bcc6cb194b3d0ce29
SHA25648409b716f9e9cadf8ba6cdb9b9ce7e56e87a0fa08958515af4e0cc971c4f7c2
SHA512cefbfb75486df0ebdf0f814622ccad31c94f551cd9f50731eadefab232a87ceaab5f5fc8d677545875498d4e7a5850bf5030891236d6e54d5b70e89175da192c
-
MD5
041aecc9f2afcda7d8a7ab4d23a99fad
SHA186d8a77375e0959a97b7e58bcc6cb194b3d0ce29
SHA25648409b716f9e9cadf8ba6cdb9b9ce7e56e87a0fa08958515af4e0cc971c4f7c2
SHA512cefbfb75486df0ebdf0f814622ccad31c94f551cd9f50731eadefab232a87ceaab5f5fc8d677545875498d4e7a5850bf5030891236d6e54d5b70e89175da192c
-
MD5
041aecc9f2afcda7d8a7ab4d23a99fad
SHA186d8a77375e0959a97b7e58bcc6cb194b3d0ce29
SHA25648409b716f9e9cadf8ba6cdb9b9ce7e56e87a0fa08958515af4e0cc971c4f7c2
SHA512cefbfb75486df0ebdf0f814622ccad31c94f551cd9f50731eadefab232a87ceaab5f5fc8d677545875498d4e7a5850bf5030891236d6e54d5b70e89175da192c