Analysis
-
max time kernel
117s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:58
Static task
static1
Behavioral task
behavioral1
Sample
112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe
Resource
win10v2004-en-20220112
General
-
Target
112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe
-
Size
58KB
-
MD5
d331a5b4a05feeba83947fbfb8f46efa
-
SHA1
35d62248fdf84ed4a6a44dd544a4e909e0ff2f49
-
SHA256
112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9
-
SHA512
2db7f730861a2e75783c1222126abe8b91116c0c85f6a30794bf16514fc7cb23159d75cee6726a80afacf4e0b06f43bc3aaef9a42c57a47b75bd659a37b240a1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 932 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exepid process 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exedescription pid process Token: SeIncBasePriorityPrivilege 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.execmd.exedescription pid process target process PID 964 wrote to memory of 804 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe MediaCenter.exe PID 964 wrote to memory of 804 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe MediaCenter.exe PID 964 wrote to memory of 804 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe MediaCenter.exe PID 964 wrote to memory of 804 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe MediaCenter.exe PID 964 wrote to memory of 932 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe cmd.exe PID 964 wrote to memory of 932 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe cmd.exe PID 964 wrote to memory of 932 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe cmd.exe PID 964 wrote to memory of 932 964 112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe cmd.exe PID 932 wrote to memory of 1884 932 cmd.exe PING.EXE PID 932 wrote to memory of 1884 932 cmd.exe PING.EXE PID 932 wrote to memory of 1884 932 cmd.exe PING.EXE PID 932 wrote to memory of 1884 932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe"C:\Users\Admin\AppData\Local\Temp\112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\112fd5f7b1dbc1a25e916764c5430793c7b277307b2a623fc782a416a695f0d9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c759bc4b1f12c73aaf399d959f47b4c8
SHA19a0b9675fb09769fa08f702fd72c466fc914ecff
SHA256ac815d5cb663e75e0bb414fab27c0b975fef86172997c2fed0a9993bb53a4ac0
SHA5128c1233ed5aa2fcdf1f9641775134317596cb34454481c46b6d5249b8cfa68852759d554b1002a8e7b3f20331cd4f1768ee9fc73e60c001275e317fecb0b80709
-
MD5
c759bc4b1f12c73aaf399d959f47b4c8
SHA19a0b9675fb09769fa08f702fd72c466fc914ecff
SHA256ac815d5cb663e75e0bb414fab27c0b975fef86172997c2fed0a9993bb53a4ac0
SHA5128c1233ed5aa2fcdf1f9641775134317596cb34454481c46b6d5249b8cfa68852759d554b1002a8e7b3f20331cd4f1768ee9fc73e60c001275e317fecb0b80709
-
MD5
c759bc4b1f12c73aaf399d959f47b4c8
SHA19a0b9675fb09769fa08f702fd72c466fc914ecff
SHA256ac815d5cb663e75e0bb414fab27c0b975fef86172997c2fed0a9993bb53a4ac0
SHA5128c1233ed5aa2fcdf1f9641775134317596cb34454481c46b6d5249b8cfa68852759d554b1002a8e7b3f20331cd4f1768ee9fc73e60c001275e317fecb0b80709