Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:05
Static task
static1
Behavioral task
behavioral1
Sample
10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe
Resource
win10v2004-en-20220112
General
-
Target
10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe
-
Size
60KB
-
MD5
13030c3dd7c830a77cc3e333691a8813
-
SHA1
1539f57703a248b4dea16ec240d309f82480d2d8
-
SHA256
10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e
-
SHA512
adbf8b58646da4f7a32c98385828d0ca7b208762434b67018ec81ccf4ee05dfac8cb7ec4d01fa43754767fad1aaa25c94ed8ac672de3bca57907f9f3a47c490e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exepid process 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exedescription pid process Token: SeIncBasePriorityPrivilege 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.execmd.exedescription pid process target process PID 1912 wrote to memory of 524 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe MediaCenter.exe PID 1912 wrote to memory of 524 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe MediaCenter.exe PID 1912 wrote to memory of 524 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe MediaCenter.exe PID 1912 wrote to memory of 524 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe MediaCenter.exe PID 1912 wrote to memory of 1528 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe cmd.exe PID 1912 wrote to memory of 1528 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe cmd.exe PID 1912 wrote to memory of 1528 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe cmd.exe PID 1912 wrote to memory of 1528 1912 10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe cmd.exe PID 1528 wrote to memory of 1192 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1192 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1192 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1192 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe"C:\Users\Admin\AppData\Local\Temp\10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10e7bcd42696d458a5c6ff70c0425bb254e7b0d275d6650c0f302b49c8fc488e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
44197f980ab0e05a076ae7cdc643c808
SHA15754ae3c359c21998eb689347e602cd16c363047
SHA2565851737bcbbe7d5c0e989ca96b110a048ef51c875908bd9ce892cc8153b95c8b
SHA512064641f0234209e2f0059daf6b1923c747bceb40ad5eb8b26a7a05ab31346d2b17c2b73d706fdfb0548eb1a061b0c56470f271aa262d262060b61b4863f553ec
-
MD5
44197f980ab0e05a076ae7cdc643c808
SHA15754ae3c359c21998eb689347e602cd16c363047
SHA2565851737bcbbe7d5c0e989ca96b110a048ef51c875908bd9ce892cc8153b95c8b
SHA512064641f0234209e2f0059daf6b1923c747bceb40ad5eb8b26a7a05ab31346d2b17c2b73d706fdfb0548eb1a061b0c56470f271aa262d262060b61b4863f553ec
-
MD5
44197f980ab0e05a076ae7cdc643c808
SHA15754ae3c359c21998eb689347e602cd16c363047
SHA2565851737bcbbe7d5c0e989ca96b110a048ef51c875908bd9ce892cc8153b95c8b
SHA512064641f0234209e2f0059daf6b1923c747bceb40ad5eb8b26a7a05ab31346d2b17c2b73d706fdfb0548eb1a061b0c56470f271aa262d262060b61b4863f553ec