Analysis
-
max time kernel
145s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe
Resource
win10v2004-en-20220113
General
-
Target
1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe
-
Size
35KB
-
MD5
6c142ca02f802a041c8e154f33f13168
-
SHA1
ef11624f8126cb0524bc5c78a4d19141cbbadea6
-
SHA256
1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0
-
SHA512
cb758c6549d323ecbbaa85eea88e1eb6473d832c5c83d39dec21bba21373f30e8ddf908b557bfc01cb7122bee6b18d96b04cee95ee9817381b31647b4bbfb487
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1700 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1368 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exepid process 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exedescription pid process Token: SeIncBasePriorityPrivilege 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.execmd.exedescription pid process target process PID 1780 wrote to memory of 1700 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe MediaCenter.exe PID 1780 wrote to memory of 1700 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe MediaCenter.exe PID 1780 wrote to memory of 1700 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe MediaCenter.exe PID 1780 wrote to memory of 1700 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe MediaCenter.exe PID 1780 wrote to memory of 1368 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe cmd.exe PID 1780 wrote to memory of 1368 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe cmd.exe PID 1780 wrote to memory of 1368 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe cmd.exe PID 1780 wrote to memory of 1368 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe cmd.exe PID 1368 wrote to memory of 428 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 428 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 428 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 428 1368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe"C:\Users\Admin\AppData\Local\Temp\1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dbfac22d57ec7c6995aee4d3ccc8bde2
SHA1855b533af2427c67e34649e684bc6c3c2b773c67
SHA256e74f2be9647634199b027f90bf0583c367f50ea9e94001955f6f9e43b7c37fdb
SHA512fedb2ce7cacaeedc8235b59cd3434b626d068b6960cae52a1c04fd7aa88120024fcbca86057c900480e6fa4cd1faa24d5310a462903484a556e0e3c40700f13b
-
MD5
dbfac22d57ec7c6995aee4d3ccc8bde2
SHA1855b533af2427c67e34649e684bc6c3c2b773c67
SHA256e74f2be9647634199b027f90bf0583c367f50ea9e94001955f6f9e43b7c37fdb
SHA512fedb2ce7cacaeedc8235b59cd3434b626d068b6960cae52a1c04fd7aa88120024fcbca86057c900480e6fa4cd1faa24d5310a462903484a556e0e3c40700f13b
-
MD5
dbfac22d57ec7c6995aee4d3ccc8bde2
SHA1855b533af2427c67e34649e684bc6c3c2b773c67
SHA256e74f2be9647634199b027f90bf0583c367f50ea9e94001955f6f9e43b7c37fdb
SHA512fedb2ce7cacaeedc8235b59cd3434b626d068b6960cae52a1c04fd7aa88120024fcbca86057c900480e6fa4cd1faa24d5310a462903484a556e0e3c40700f13b