Analysis
-
max time kernel
117s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:51
Static task
static1
Behavioral task
behavioral1
Sample
1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe
Resource
win10v2004-en-20220113
General
-
Target
1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe
-
Size
36KB
-
MD5
c0223dbeed93c92a0f4cefc330a8b6eb
-
SHA1
3cf55a303ae2e28448ce6b37ac4adf0b1eb79df1
-
SHA256
1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4
-
SHA512
1a48db8b945f0ffdc458e4f58697cf581a5dcc55313bec1e82e4c4829f540903fd7bbe8ceff811522f6761609ada26e0ec6f6db625006417e1e35c4f9fc149d1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exepid process 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.execmd.exedescription pid process target process PID 1684 wrote to memory of 1888 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe MediaCenter.exe PID 1684 wrote to memory of 1888 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe MediaCenter.exe PID 1684 wrote to memory of 1888 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe MediaCenter.exe PID 1684 wrote to memory of 1888 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe MediaCenter.exe PID 1684 wrote to memory of 1980 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe cmd.exe PID 1684 wrote to memory of 1980 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe cmd.exe PID 1684 wrote to memory of 1980 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe cmd.exe PID 1684 wrote to memory of 1980 1684 1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe cmd.exe PID 1980 wrote to memory of 1356 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1356 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1356 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1356 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe"C:\Users\Admin\AppData\Local\Temp\1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1175cc1b1213ad48ab154b4526baa72ed6e18ba36d66616a73f98b2126b897c4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
431afab5adae4904afef170771c8d9dd
SHA1cd28906a7887481e3d3e7589075359e635349461
SHA25689a92f23da57d4ce79df1b600c7667e20745ed5e491730f1e622070f6a1510a4
SHA51251e72018daea34ad54eb31907fabe2d89f0641dce49145962154863cb0d99db4207702cd8797d95293c4479d126eb93acb75fefe00d9912fc1f354ba04c4d6f6
-
MD5
431afab5adae4904afef170771c8d9dd
SHA1cd28906a7887481e3d3e7589075359e635349461
SHA25689a92f23da57d4ce79df1b600c7667e20745ed5e491730f1e622070f6a1510a4
SHA51251e72018daea34ad54eb31907fabe2d89f0641dce49145962154863cb0d99db4207702cd8797d95293c4479d126eb93acb75fefe00d9912fc1f354ba04c4d6f6
-
MD5
431afab5adae4904afef170771c8d9dd
SHA1cd28906a7887481e3d3e7589075359e635349461
SHA25689a92f23da57d4ce79df1b600c7667e20745ed5e491730f1e622070f6a1510a4
SHA51251e72018daea34ad54eb31907fabe2d89f0641dce49145962154863cb0d99db4207702cd8797d95293c4479d126eb93acb75fefe00d9912fc1f354ba04c4d6f6