Analysis
-
max time kernel
124s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:14
Static task
static1
Behavioral task
behavioral1
Sample
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe
Resource
win10v2004-en-20220113
General
-
Target
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe
-
Size
36KB
-
MD5
5ba8b640d31085d6b4f327b6cf01f412
-
SHA1
f5a515abc4f3e804d8288b88df40a62d0549e9f1
-
SHA256
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572
-
SHA512
ae12cb2eecf540ce40f839ec7fed1ee9bbb29ba232fe4900762fa8fb83ed6cc89306fe28a29074a028a8ddcc708a56b5bf188d4ca18ab4b21677da76303fb88b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1604 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exepid process 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exedescription pid process Token: SeIncBasePriorityPrivilege 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.execmd.exedescription pid process target process PID 1752 wrote to memory of 1616 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe MediaCenter.exe PID 1752 wrote to memory of 1604 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe cmd.exe PID 1752 wrote to memory of 1604 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe cmd.exe PID 1752 wrote to memory of 1604 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe cmd.exe PID 1752 wrote to memory of 1604 1752 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe cmd.exe PID 1604 wrote to memory of 1484 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1484 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1484 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1484 1604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe"C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f0a5a87c6b9b7dc7aae91ceb41fc052a
SHA1704d2f6f0361a9724d67b7b1b06029f674b2ab26
SHA25650551b607daf4749053eb4feee8cb85e00a9d706a37639ab54416cbc96c27cde
SHA512ca734364e1099c7918f5f8013ccd0d6b154f903ef14b0103a8aee9cb9dd8046d1f3e40a37e8b507d7d46c4db175efc415b52bf9298fc13ab77e0b54962ebb02c
-
MD5
f0a5a87c6b9b7dc7aae91ceb41fc052a
SHA1704d2f6f0361a9724d67b7b1b06029f674b2ab26
SHA25650551b607daf4749053eb4feee8cb85e00a9d706a37639ab54416cbc96c27cde
SHA512ca734364e1099c7918f5f8013ccd0d6b154f903ef14b0103a8aee9cb9dd8046d1f3e40a37e8b507d7d46c4db175efc415b52bf9298fc13ab77e0b54962ebb02c
-
MD5
f0a5a87c6b9b7dc7aae91ceb41fc052a
SHA1704d2f6f0361a9724d67b7b1b06029f674b2ab26
SHA25650551b607daf4749053eb4feee8cb85e00a9d706a37639ab54416cbc96c27cde
SHA512ca734364e1099c7918f5f8013ccd0d6b154f903ef14b0103a8aee9cb9dd8046d1f3e40a37e8b507d7d46c4db175efc415b52bf9298fc13ab77e0b54962ebb02c