Analysis
-
max time kernel
121s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:03
Static task
static1
Behavioral task
behavioral1
Sample
11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe
Resource
win10v2004-en-20220113
General
-
Target
11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe
-
Size
58KB
-
MD5
bade25ece03996185fea725ab7a9dfbd
-
SHA1
fa83d5ab0900b296276d288f00014dea231f6181
-
SHA256
11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c
-
SHA512
bf121140b5c47b8550b51cf73ddd97e41da5fd6215a423aa396485edc09d4a9c6becf8991e59d19b20f38516c8325a9daedd65ee06a09de189fb6d74313f7a40
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1676 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1268 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exepid process 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exedescription pid process Token: SeIncBasePriorityPrivilege 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.execmd.exedescription pid process target process PID 740 wrote to memory of 1676 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe MediaCenter.exe PID 740 wrote to memory of 1676 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe MediaCenter.exe PID 740 wrote to memory of 1676 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe MediaCenter.exe PID 740 wrote to memory of 1676 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe MediaCenter.exe PID 740 wrote to memory of 1268 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe cmd.exe PID 740 wrote to memory of 1268 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe cmd.exe PID 740 wrote to memory of 1268 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe cmd.exe PID 740 wrote to memory of 1268 740 11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe cmd.exe PID 1268 wrote to memory of 1140 1268 cmd.exe PING.EXE PID 1268 wrote to memory of 1140 1268 cmd.exe PING.EXE PID 1268 wrote to memory of 1140 1268 cmd.exe PING.EXE PID 1268 wrote to memory of 1140 1268 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe"C:\Users\Admin\AppData\Local\Temp\11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11054ee2f4163ef1a41d777e6e1823893d2fb4f7e59e2e435436582b16c2878c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5190e97e9652cd0ae18279d79f56747b
SHA122a595aec3168c9b6135cb3abca51ded499d9d51
SHA2563e6bb229b0bd3ca05f891d6077171b836e002cb7c1fb4fdf98b10910b377f31b
SHA5122d7e8573f9c3a20c4cc88f916906304e9a1b26f1ba711b3abce99514313f342326b835ce915897e752048801fcabacb0b7d0cd792bfd0c22f9588d7c834b0914
-
MD5
5190e97e9652cd0ae18279d79f56747b
SHA122a595aec3168c9b6135cb3abca51ded499d9d51
SHA2563e6bb229b0bd3ca05f891d6077171b836e002cb7c1fb4fdf98b10910b377f31b
SHA5122d7e8573f9c3a20c4cc88f916906304e9a1b26f1ba711b3abce99514313f342326b835ce915897e752048801fcabacb0b7d0cd792bfd0c22f9588d7c834b0914
-
MD5
5190e97e9652cd0ae18279d79f56747b
SHA122a595aec3168c9b6135cb3abca51ded499d9d51
SHA2563e6bb229b0bd3ca05f891d6077171b836e002cb7c1fb4fdf98b10910b377f31b
SHA5122d7e8573f9c3a20c4cc88f916906304e9a1b26f1ba711b3abce99514313f342326b835ce915897e752048801fcabacb0b7d0cd792bfd0c22f9588d7c834b0914