Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:03
Static task
static1
Behavioral task
behavioral1
Sample
10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe
Resource
win10v2004-en-20220113
General
-
Target
10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe
-
Size
35KB
-
MD5
516c4dbbfa5208dd711c617fc6d4aa64
-
SHA1
1e4b8d7f4f33983666dd3cc65a9bce4c5b5a0aad
-
SHA256
10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf
-
SHA512
f521068a76b51c83651b04cc335175133e1df8f14025a43fc0f7e5d2f98b07314f81e360604e8d895def269edf2dc5769a871ad71efbe1759de2cb548cfe11b2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1164 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exepid process 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exedescription pid process Token: SeIncBasePriorityPrivilege 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.execmd.exedescription pid process target process PID 1724 wrote to memory of 1164 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe MediaCenter.exe PID 1724 wrote to memory of 428 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe cmd.exe PID 1724 wrote to memory of 428 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe cmd.exe PID 1724 wrote to memory of 428 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe cmd.exe PID 1724 wrote to memory of 428 1724 10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe cmd.exe PID 428 wrote to memory of 1960 428 cmd.exe PING.EXE PID 428 wrote to memory of 1960 428 cmd.exe PING.EXE PID 428 wrote to memory of 1960 428 cmd.exe PING.EXE PID 428 wrote to memory of 1960 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe"C:\Users\Admin\AppData\Local\Temp\10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10fb3ce22c291ab7c191863acba567a9af11af6c35658f0dedb18368c1ac39cf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0e4c579f5282546c6e04ff37000e7f7a
SHA1d9ec8ee45fd7dc2acb4fb9cabce96bc0ecab7e6b
SHA2569a63d7256d3d5c1027fe4b8f1b976643e54d480115c66f0e52ac020c4f38ea56
SHA512ac584710779641f745ecf98d7321cd10543636bda4aacd51c6ad6639233219930adc55d201a7fc56e751a297caed100ff797c47eb6c6c1bee16baff56de61d9b
-
MD5
0e4c579f5282546c6e04ff37000e7f7a
SHA1d9ec8ee45fd7dc2acb4fb9cabce96bc0ecab7e6b
SHA2569a63d7256d3d5c1027fe4b8f1b976643e54d480115c66f0e52ac020c4f38ea56
SHA512ac584710779641f745ecf98d7321cd10543636bda4aacd51c6ad6639233219930adc55d201a7fc56e751a297caed100ff797c47eb6c6c1bee16baff56de61d9b
-
MD5
0e4c579f5282546c6e04ff37000e7f7a
SHA1d9ec8ee45fd7dc2acb4fb9cabce96bc0ecab7e6b
SHA2569a63d7256d3d5c1027fe4b8f1b976643e54d480115c66f0e52ac020c4f38ea56
SHA512ac584710779641f745ecf98d7321cd10543636bda4aacd51c6ad6639233219930adc55d201a7fc56e751a297caed100ff797c47eb6c6c1bee16baff56de61d9b