d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3

General

Target

d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe
Size

42KB
MD5

bc63a811632e3900a5100c330ef85399
SHA1

ba46b87f0671ea3f5f38450a50840d983482e005
SHA256

d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3
SHA512

a532e0afee9b6ed54bbaa27a4f4ec941c4368397ccc36b129fd50478603215bdb3ba357b9811bd894dbe9f170d27426a81d458776320e7b99f3788f34f193db4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3964 MediaCenter.exe

pid	process
3964	MediaCenter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

788 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2156 PING.EXE

pid	process
788	reg.exe

pid	process
2156	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 2832	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 1832 wrote to memory of 2832	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 1832 wrote to memory of 2832	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 1832 wrote to memory of 2844	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 1832 wrote to memory of 2844	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 1832 wrote to memory of 2844	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 1832 wrote to memory of 3780	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 1832 wrote to memory of 3780	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 1832 wrote to memory of 3780	1832	d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe	cmd.exe
PID 2844 wrote to memory of 3964	2844	cmd.exe	MediaCenter.exe
PID 2844 wrote to memory of 3964	2844	cmd.exe	MediaCenter.exe
PID 2844 wrote to memory of 3964	2844	cmd.exe	MediaCenter.exe
PID 2832 wrote to memory of 788	2832	cmd.exe	reg.exe
PID 2832 wrote to memory of 788	2832	cmd.exe	reg.exe
PID 2832 wrote to memory of 788	2832	cmd.exe	reg.exe
PID 3780 wrote to memory of 2156	3780	cmd.exe	PING.EXE
PID 3780 wrote to memory of 2156	3780	cmd.exe	PING.EXE
PID 3780 wrote to memory of 2156	3780	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe
"C:\Users\Admin\AppData\Local\Temp\d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:3964

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\d14e01c6a99c69afe3fa4da43eaac290883dfa239b3c3956207b9981bd92f8d3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
db46fee69b5d77b78ad9e70853571bf8

SHA1
06dbdb5562a69a170d86e0e510f68de34751e8bb

SHA256
3839a1444a9e3383e9d96f1fca1aa3bd8296a27ea78a99176745ba228aad4900

SHA512
6118604caaec628359b6200f1974eeb2828c121a7a8f6290a9adfd34d3a7fd07b0ec6cf8b71baabb253797d27cc99c71f324ece844d1b308ad99c01ea2538855

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
db46fee69b5d77b78ad9e70853571bf8

SHA1
06dbdb5562a69a170d86e0e510f68de34751e8bb

SHA256
3839a1444a9e3383e9d96f1fca1aa3bd8296a27ea78a99176745ba228aad4900

SHA512
6118604caaec628359b6200f1974eeb2828c121a7a8f6290a9adfd34d3a7fd07b0ec6cf8b71baabb253797d27cc99c71f324ece844d1b308ad99c01ea2538855

Download Submit
memory/788-119-0x0000000000000000-mapping.dmp

Download
memory/2156-121-0x0000000000000000-mapping.dmp

Download
memory/2832-114-0x0000000000000000-mapping.dmp

Download
memory/2844-115-0x0000000000000000-mapping.dmp

Download
memory/3780-116-0x0000000000000000-mapping.dmp

Download
memory/3964-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing