Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 12:27
Static task
static1
Behavioral task
behavioral1
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10-en-20210920
General
-
Target
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
-
Size
216KB
-
MD5
052e970aff7e2e0e3209417a92f4e2c6
-
SHA1
32c0cb93f35e65295a02d362c3bf4fd71fa9365c
-
SHA256
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
-
SHA512
38d19aea666d07db8c2f2925d3d7af99d03936cfda936fbc994d00ce66b27147647ca28bae684b99fdbbc7e424b34b13c5c5a6d4739d4a46934ae2ba744e8c8d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1996 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 740 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exepid process 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription pid process Token: SeIncBasePriorityPrivilege 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.execmd.exedescription pid process target process PID 1144 wrote to memory of 1996 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 1144 wrote to memory of 1996 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 1144 wrote to memory of 1996 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 1144 wrote to memory of 1996 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 1144 wrote to memory of 740 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 1144 wrote to memory of 740 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 1144 wrote to memory of 740 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 1144 wrote to memory of 740 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 740 wrote to memory of 1364 740 cmd.exe PING.EXE PID 740 wrote to memory of 1364 740 cmd.exe PING.EXE PID 740 wrote to memory of 1364 740 cmd.exe PING.EXE PID 740 wrote to memory of 1364 740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cc369833508bbe64d824b6986b457197
SHA16aa9a93dafdac6b28b0fc893e04059fb26dd09de
SHA256d4784d93ab8e7a6e1e4da6e5ea666c7b5259f2d5f2c9854c1d61c05648c7d9be
SHA512a56442a30301a354c87a2b47ae8ae3d30b9f1bcf2a86d881dca836094fe544fc9e0fdc0051819790aa41bf7c91b0068d1316ede0d609c1e1e5ed54ded4a98aa9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cc369833508bbe64d824b6986b457197
SHA16aa9a93dafdac6b28b0fc893e04059fb26dd09de
SHA256d4784d93ab8e7a6e1e4da6e5ea666c7b5259f2d5f2c9854c1d61c05648c7d9be
SHA512a56442a30301a354c87a2b47ae8ae3d30b9f1bcf2a86d881dca836094fe544fc9e0fdc0051819790aa41bf7c91b0068d1316ede0d609c1e1e5ed54ded4a98aa9
-
memory/740-58-0x0000000000000000-mapping.dmp
-
memory/1144-53-0x0000000076581000-0x0000000076583000-memory.dmpFilesize
8KB
-
memory/1364-59-0x0000000000000000-mapping.dmp
-
memory/1996-55-0x0000000000000000-mapping.dmp