Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 12:27
Static task
static1
Behavioral task
behavioral1
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10-en-20210920
General
-
Target
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
-
Size
216KB
-
MD5
052e970aff7e2e0e3209417a92f4e2c6
-
SHA1
32c0cb93f35e65295a02d362c3bf4fd71fa9365c
-
SHA256
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
-
SHA512
38d19aea666d07db8c2f2925d3d7af99d03936cfda936fbc994d00ce66b27147647ca28bae684b99fdbbc7e424b34b13c5c5a6d4739d4a46934ae2ba744e8c8d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1996 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 740 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1364 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1144 wrote to memory of 1996 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 27 PID 1144 wrote to memory of 1996 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 27 PID 1144 wrote to memory of 1996 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 27 PID 1144 wrote to memory of 1996 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 27 PID 1144 wrote to memory of 740 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 30 PID 1144 wrote to memory of 740 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 30 PID 1144 wrote to memory of 740 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 30 PID 1144 wrote to memory of 740 1144 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 30 PID 740 wrote to memory of 1364 740 cmd.exe 32 PID 740 wrote to memory of 1364 740 cmd.exe 32 PID 740 wrote to memory of 1364 740 cmd.exe 32 PID 740 wrote to memory of 1364 740 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1364
-
-