Analysis
-
max time kernel
117s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:00
Static task
static1
Behavioral task
behavioral1
Sample
111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe
Resource
win10v2004-en-20220113
General
-
Target
111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe
-
Size
36KB
-
MD5
05e2aab06253aa3e0bc32568953be56c
-
SHA1
74cb4c32df13d75ac81bf4e078cf81ec9f038047
-
SHA256
111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06
-
SHA512
07b3ebc5c337bcccd6ab6fbed9c97efe1487cf38ae5de2b0d018fac93c45b8cad2a055d9e7064de591274973561243597053167065239cf6a207ae5d6a3a748a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 940 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exepid process 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exedescription pid process Token: SeIncBasePriorityPrivilege 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.execmd.exedescription pid process target process PID 1528 wrote to memory of 940 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe MediaCenter.exe PID 1528 wrote to memory of 428 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe cmd.exe PID 1528 wrote to memory of 428 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe cmd.exe PID 1528 wrote to memory of 428 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe cmd.exe PID 1528 wrote to memory of 428 1528 111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe cmd.exe PID 428 wrote to memory of 1808 428 cmd.exe PING.EXE PID 428 wrote to memory of 1808 428 cmd.exe PING.EXE PID 428 wrote to memory of 1808 428 cmd.exe PING.EXE PID 428 wrote to memory of 1808 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe"C:\Users\Admin\AppData\Local\Temp\111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\111fee3aecf5e6a176f1f1d2d14ca4e2f3aa1778469d8b54ba0b1a21ec0dde06.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d1d093c897502545ceb44690b18b4330
SHA1701849d4d86082c890ff97d8f00dd400c000b406
SHA2563381b3496c38dbed81f2dd49b40aa8af478fa16a5f91d2fde855708e8581ea70
SHA51204179711ad55a9101bcea29c75a2dd46f4fa6118ef26c3d88099184840bed69bc78621861b09a850f1281719262cb5632e88b094b95ee5a44925a86870297820
-
MD5
d1d093c897502545ceb44690b18b4330
SHA1701849d4d86082c890ff97d8f00dd400c000b406
SHA2563381b3496c38dbed81f2dd49b40aa8af478fa16a5f91d2fde855708e8581ea70
SHA51204179711ad55a9101bcea29c75a2dd46f4fa6118ef26c3d88099184840bed69bc78621861b09a850f1281719262cb5632e88b094b95ee5a44925a86870297820
-
MD5
d1d093c897502545ceb44690b18b4330
SHA1701849d4d86082c890ff97d8f00dd400c000b406
SHA2563381b3496c38dbed81f2dd49b40aa8af478fa16a5f91d2fde855708e8581ea70
SHA51204179711ad55a9101bcea29c75a2dd46f4fa6118ef26c3d88099184840bed69bc78621861b09a850f1281719262cb5632e88b094b95ee5a44925a86870297820