Analysis
-
max time kernel
120s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:00
Static task
static1
Behavioral task
behavioral1
Sample
1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe
Resource
win10v2004-en-20220112
General
-
Target
1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe
-
Size
35KB
-
MD5
ca983119cb826df2cc7de0d97d43e091
-
SHA1
e3043cd4ff0b62af52e52321892a036778f7d9fa
-
SHA256
1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310
-
SHA512
27219ba6fa65cc1ee65da7a23a28214ebeba2f27507488543101c7773e6e7f87dcaf01819eb1046ea6244d107b4bf81c2437d5ae615ccdc3c58663e0a32177a1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2036 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 480 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exepid process 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.execmd.exedescription pid process target process PID 1592 wrote to memory of 2036 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe MediaCenter.exe PID 1592 wrote to memory of 2036 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe MediaCenter.exe PID 1592 wrote to memory of 2036 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe MediaCenter.exe PID 1592 wrote to memory of 2036 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe MediaCenter.exe PID 1592 wrote to memory of 480 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe cmd.exe PID 1592 wrote to memory of 480 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe cmd.exe PID 1592 wrote to memory of 480 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe cmd.exe PID 1592 wrote to memory of 480 1592 1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe cmd.exe PID 480 wrote to memory of 1324 480 cmd.exe PING.EXE PID 480 wrote to memory of 1324 480 cmd.exe PING.EXE PID 480 wrote to memory of 1324 480 cmd.exe PING.EXE PID 480 wrote to memory of 1324 480 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe"C:\Users\Admin\AppData\Local\Temp\1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1123410a7eb2d5d1c4ca4ea4ffae6a6818140eaec06ac967a6b4fd5884643310.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
140cd861005048db22645329bcb1a18a
SHA107ce3633c92692513bf258053e33a0bad0334169
SHA2566b871b11580e9f2a7c31f279075dd165cd14576d0c2eec98098342e3a8f0bc19
SHA51292ef7e8bbfcf608ae55f1fd16fd5ca49120aed83e317c64241646a56f3835889d7d9d5f25f28622247c046e1abcc2e27d3917b0b054188a4d06a36f10831db32
-
MD5
140cd861005048db22645329bcb1a18a
SHA107ce3633c92692513bf258053e33a0bad0334169
SHA2566b871b11580e9f2a7c31f279075dd165cd14576d0c2eec98098342e3a8f0bc19
SHA51292ef7e8bbfcf608ae55f1fd16fd5ca49120aed83e317c64241646a56f3835889d7d9d5f25f28622247c046e1abcc2e27d3917b0b054188a4d06a36f10831db32
-
MD5
140cd861005048db22645329bcb1a18a
SHA107ce3633c92692513bf258053e33a0bad0334169
SHA2566b871b11580e9f2a7c31f279075dd165cd14576d0c2eec98098342e3a8f0bc19
SHA51292ef7e8bbfcf608ae55f1fd16fd5ca49120aed83e317c64241646a56f3835889d7d9d5f25f28622247c046e1abcc2e27d3917b0b054188a4d06a36f10831db32