9bd31a3fe86402deb4093397011f9b3eea295f77eeb0ffd5cd27ded039e18468

General

Target

5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe
Size

77KB
MD5

de2147bd349bd429db6ed0149736465e
SHA1

b386fab1ca019046c87fbda87be360ba276defd6
SHA256

5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2
SHA512

44087c162fb48a05766c893e1ba64f9c2df28ff0bb8951287af517420f0bae5aa362e1a3ed89cda1b73900bd2ce8a4f9f3a14f5e74d8392de361f007647fa76a

Score

8^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3768	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	73
PID 976 wrote to memory of 3768	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	73
PID 976 wrote to memory of 3768	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	73
PID 976 wrote to memory of 3828	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	74
PID 976 wrote to memory of 3828	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	74
PID 976 wrote to memory of 3828	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	74
PID 976 wrote to memory of 420	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	75
PID 976 wrote to memory of 420	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	75
PID 976 wrote to memory of 420	976	5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe	75
PID 3828 wrote to memory of 620	3828	cmd.exe	79
PID 3828 wrote to memory of 620	3828	cmd.exe	79
PID 3828 wrote to memory of 620	3828	cmd.exe	79
PID 3768 wrote to memory of 1128	3768	cmd.exe	80
PID 3768 wrote to memory of 1128	3768	cmd.exe	80
PID 3768 wrote to memory of 1128	3768	cmd.exe	80
PID 420 wrote to memory of 1168	420	cmd.exe	81
PID 420 wrote to memory of 1168	420	cmd.exe	81
PID 420 wrote to memory of 1168	420	cmd.exe	81

Executes dropped EXE 1 IoCs

pid	Process
620	MediaCenter.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1128	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1168	PING.EXE

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

C:\Users\Admin\AppData\Local\Temp\5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe
"C:\Users\Admin\AppData\Local\Temp\5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
    3⤵
    - Modifies registry key
    - Adds Run entry to start application
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    3⤵
    - Executes dropped EXE
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\5614bd0a2e2c2ca4194e99e2f848535fa9a16157bd78cae268cf2b3eda6e54c2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads