Analysis
-
max time kernel
117s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe
Resource
win10v2004-en-20220113
General
-
Target
11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe
-
Size
36KB
-
MD5
9a719658483c4147e72c149e680b7ab1
-
SHA1
b154c62d47c47e7d5a5c4c9efccbe0c2698e27c3
-
SHA256
11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71
-
SHA512
15633050b1f489d6ef929dd17114537521ad0298bfd04d46278e123b8c19de4fe38f07c29e27577efda855a5daa971c142f3864899be3473292ac818755ad2d2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 300 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exepid process 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exedescription pid process Token: SeIncBasePriorityPrivilege 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.execmd.exedescription pid process target process PID 868 wrote to memory of 1684 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe MediaCenter.exe PID 868 wrote to memory of 300 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe cmd.exe PID 868 wrote to memory of 300 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe cmd.exe PID 868 wrote to memory of 300 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe cmd.exe PID 868 wrote to memory of 300 868 11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe cmd.exe PID 300 wrote to memory of 1052 300 cmd.exe PING.EXE PID 300 wrote to memory of 1052 300 cmd.exe PING.EXE PID 300 wrote to memory of 1052 300 cmd.exe PING.EXE PID 300 wrote to memory of 1052 300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe"C:\Users\Admin\AppData\Local\Temp\11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11158ced628300162ad39e3701658b8e37f35b5bb0b3c2d3a246a82b579d0f71.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1486e6f536136174e2f47a3101f94968
SHA16e67a47a6ca646c2678dbb89629d37467c710c3f
SHA256805ccc2ddac8a05a57b05194da4e178b2d0ed9d7ad3210a74f538bb1a76556ee
SHA512e0631f8a41660012b74c82e55ab5502f58c5d904b37ebf6a628c6b6fd3eef9190588325607cd449b23c26676c4f30ca50998d556b536a5736cadc7d1e1239689
-
MD5
1486e6f536136174e2f47a3101f94968
SHA16e67a47a6ca646c2678dbb89629d37467c710c3f
SHA256805ccc2ddac8a05a57b05194da4e178b2d0ed9d7ad3210a74f538bb1a76556ee
SHA512e0631f8a41660012b74c82e55ab5502f58c5d904b37ebf6a628c6b6fd3eef9190588325607cd449b23c26676c4f30ca50998d556b536a5736cadc7d1e1239689
-
MD5
1486e6f536136174e2f47a3101f94968
SHA16e67a47a6ca646c2678dbb89629d37467c710c3f
SHA256805ccc2ddac8a05a57b05194da4e178b2d0ed9d7ad3210a74f538bb1a76556ee
SHA512e0631f8a41660012b74c82e55ab5502f58c5d904b37ebf6a628c6b6fd3eef9190588325607cd449b23c26676c4f30ca50998d556b536a5736cadc7d1e1239689