Analysis
-
max time kernel
119s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:52
Static task
static1
Behavioral task
behavioral1
Sample
117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe
Resource
win10v2004-en-20220113
General
-
Target
117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe
-
Size
58KB
-
MD5
152c26784b9b8ece2d78d3772d163051
-
SHA1
ebd75ac182790fdd64ece46b5f73aa7f5fb0b07b
-
SHA256
117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f
-
SHA512
175f620a0ad1557bf563ab4d809eed7a88b2054ea8a24142e899c1577dcd0a6eef639fcf8f8f2b694e1ed82ab90477db1bb5103f9e7b6e642a89b81fe4eaa560
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1880 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1928 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exepid process 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exedescription pid process Token: SeIncBasePriorityPrivilege 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.execmd.exedescription pid process target process PID 1596 wrote to memory of 1880 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe MediaCenter.exe PID 1596 wrote to memory of 1928 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe cmd.exe PID 1596 wrote to memory of 1928 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe cmd.exe PID 1596 wrote to memory of 1928 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe cmd.exe PID 1596 wrote to memory of 1928 1596 117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe cmd.exe PID 1928 wrote to memory of 1240 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1240 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1240 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1240 1928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe"C:\Users\Admin\AppData\Local\Temp\117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\117500e7e32fddb851fcee23a978fdf44657484f965bfb35e2ad2d477bf4416f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
425e98fd36651957c70c3e319b37311a
SHA10e3fd8faf191305217e78f466fb730e7c6c9784e
SHA256d3fdcb2fcd530ad4c8ce4e39d51b476f4878ba037ee77c9246968313453e0671
SHA512fd1192603ff6e7471381afb7bd978123bcd8c77d915cba7a1ae6ae538c77f0d0375f39a11146c73e2704dee33d0c9649d817ff80000cfdbf3310591d3570341d
-
MD5
425e98fd36651957c70c3e319b37311a
SHA10e3fd8faf191305217e78f466fb730e7c6c9784e
SHA256d3fdcb2fcd530ad4c8ce4e39d51b476f4878ba037ee77c9246968313453e0671
SHA512fd1192603ff6e7471381afb7bd978123bcd8c77d915cba7a1ae6ae538c77f0d0375f39a11146c73e2704dee33d0c9649d817ff80000cfdbf3310591d3570341d
-
MD5
425e98fd36651957c70c3e319b37311a
SHA10e3fd8faf191305217e78f466fb730e7c6c9784e
SHA256d3fdcb2fcd530ad4c8ce4e39d51b476f4878ba037ee77c9246968313453e0671
SHA512fd1192603ff6e7471381afb7bd978123bcd8c77d915cba7a1ae6ae538c77f0d0375f39a11146c73e2704dee33d0c9649d817ff80000cfdbf3310591d3570341d