Analysis
-
max time kernel
124s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:04
Static task
static1
Behavioral task
behavioral1
Sample
10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe
Resource
win10v2004-en-20220112
General
-
Target
10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe
-
Size
35KB
-
MD5
ead128b8b0c4425a7039fa9fb70eb217
-
SHA1
3376422afe7452d31b846f10ee1413af8d302056
-
SHA256
10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3
-
SHA512
9c2dde0d1251c9ff3004dfa977ed13b2cd22d9305903f2f9ecc65b883d3f909b4eb18504d63a993da31cfa2f41ed46a1ee7925433c402dedc1af20b8b50783f0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1360 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exepid process 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.execmd.exedescription pid process target process PID 1728 wrote to memory of 1360 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe MediaCenter.exe PID 1728 wrote to memory of 1980 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe cmd.exe PID 1728 wrote to memory of 1980 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe cmd.exe PID 1728 wrote to memory of 1980 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe cmd.exe PID 1728 wrote to memory of 1980 1728 10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe cmd.exe PID 1980 wrote to memory of 1120 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1120 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1120 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1120 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe"C:\Users\Admin\AppData\Local\Temp\10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10f130e7a40319d7b2fc3e09d816f6afb9c56f286f9c32aafd8195c519ce0eb3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3ddac1c5d353bcacc380c351e184c473
SHA1eb7bc45be1abfc532c18f0384f9715fc245df282
SHA256e1903c236ca7382d0a6d9a4b3f421323c3fe16a3473303e48719a2ac28ee6728
SHA512740c05e279388ced7bc62384b79194c7b02f65fd0f624111c143eebfa01b06adfd6341a26ccc37aca61c1d34a09c8c2803361b75c7da47f86c5d18b8e8afd3ef
-
MD5
3ddac1c5d353bcacc380c351e184c473
SHA1eb7bc45be1abfc532c18f0384f9715fc245df282
SHA256e1903c236ca7382d0a6d9a4b3f421323c3fe16a3473303e48719a2ac28ee6728
SHA512740c05e279388ced7bc62384b79194c7b02f65fd0f624111c143eebfa01b06adfd6341a26ccc37aca61c1d34a09c8c2803361b75c7da47f86c5d18b8e8afd3ef
-
MD5
3ddac1c5d353bcacc380c351e184c473
SHA1eb7bc45be1abfc532c18f0384f9715fc245df282
SHA256e1903c236ca7382d0a6d9a4b3f421323c3fe16a3473303e48719a2ac28ee6728
SHA512740c05e279388ced7bc62384b79194c7b02f65fd0f624111c143eebfa01b06adfd6341a26ccc37aca61c1d34a09c8c2803361b75c7da47f86c5d18b8e8afd3ef