Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:05
Static task
static1
Behavioral task
behavioral1
Sample
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe
Resource
win10v2004-en-20220113
General
-
Target
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe
-
Size
58KB
-
MD5
5db5cb999f6a76f94e059a29e59fa461
-
SHA1
85dfb58a52777f885f5ea930407590e05034e56a
-
SHA256
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb
-
SHA512
1b99c887071767f3395b8651ca88b9eea7c3fde1fb0999c58144d1793476ac50dacfda8cf0e6ea62be523698532886e7298055d624ebc143c50ff9a5b90d846a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1348 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exepid process 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exedescription pid process Token: SeIncBasePriorityPrivilege 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.execmd.exedescription pid process target process PID 1916 wrote to memory of 1348 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe MediaCenter.exe PID 1916 wrote to memory of 1348 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe MediaCenter.exe PID 1916 wrote to memory of 1348 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe MediaCenter.exe PID 1916 wrote to memory of 1348 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe MediaCenter.exe PID 1916 wrote to memory of 828 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe cmd.exe PID 1916 wrote to memory of 828 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe cmd.exe PID 1916 wrote to memory of 828 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe cmd.exe PID 1916 wrote to memory of 828 1916 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe cmd.exe PID 828 wrote to memory of 1044 828 cmd.exe PING.EXE PID 828 wrote to memory of 1044 828 cmd.exe PING.EXE PID 828 wrote to memory of 1044 828 cmd.exe PING.EXE PID 828 wrote to memory of 1044 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe"C:\Users\Admin\AppData\Local\Temp\10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
52d83676a9fa4652c42c248f0b0ccba4
SHA1d68ad9a5c5b458ac7161c0150c35f71b227b37fc
SHA256398e7aa19c206f2ee99ab2e3978afcff002b58144f637ee188e80a030784ff9d
SHA512fb668d49d9b0c060729ecbbe649490e0b86fc395fa5e27e65b2e7f19784e7d7590ba79ffd2f55246a2c6a17f6182d8a375b4f8e6106aea863078b5f6a504669f
-
MD5
52d83676a9fa4652c42c248f0b0ccba4
SHA1d68ad9a5c5b458ac7161c0150c35f71b227b37fc
SHA256398e7aa19c206f2ee99ab2e3978afcff002b58144f637ee188e80a030784ff9d
SHA512fb668d49d9b0c060729ecbbe649490e0b86fc395fa5e27e65b2e7f19784e7d7590ba79ffd2f55246a2c6a17f6182d8a375b4f8e6106aea863078b5f6a504669f
-
MD5
52d83676a9fa4652c42c248f0b0ccba4
SHA1d68ad9a5c5b458ac7161c0150c35f71b227b37fc
SHA256398e7aa19c206f2ee99ab2e3978afcff002b58144f637ee188e80a030784ff9d
SHA512fb668d49d9b0c060729ecbbe649490e0b86fc395fa5e27e65b2e7f19784e7d7590ba79ffd2f55246a2c6a17f6182d8a375b4f8e6106aea863078b5f6a504669f