fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629

Resubmissions

24-02-2022 11:08

220224-m8nlsachc3 10

30-09-2021 12:27

210930-pmrseshfg9 8

Analysis

max time kernel
138s
max time network
141s
platform
windows10_x64
resource
win10-en-20210920
submitted
30-09-2021 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Size

216KB
MD5

052e970aff7e2e0e3209417a92f4e2c6
SHA1

32c0cb93f35e65295a02d362c3bf4fd71fa9365c
SHA256

fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
SHA512

38d19aea666d07db8c2f2925d3d7af99d03936cfda936fbc994d00ce66b27147647ca28bae684b99fdbbc7e424b34b13c5c5a6d4739d4a46934ae2ba744e8c8d

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2708 MediaCenter.exe

pid	process
2708	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

8 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe

description pid process

Token: SeIncBasePriorityPrivilege 2524 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe

pid	process
8	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2524	fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.execmd.exe

description	pid	process	target process
PID 2524 wrote to memory of 2708	2524	fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe	MediaCenter.exe
PID 2524 wrote to memory of 2708	2524	fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe	MediaCenter.exe
PID 2524 wrote to memory of 2708	2524	fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe	MediaCenter.exe
PID 2524 wrote to memory of 3964	2524	fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe	cmd.exe
PID 2524 wrote to memory of 3964	2524	fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe	cmd.exe
PID 2524 wrote to memory of 3964	2524	fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe	cmd.exe
PID 3964 wrote to memory of 8	3964	cmd.exe	PING.EXE
PID 3964 wrote to memory of 8	3964	cmd.exe	PING.EXE
PID 3964 wrote to memory of 8	3964	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
b705ccb617ae0218d0a61d37e1153513

SHA1
58d2aed89e7ef3dd5ea3cb203733ee02f3ee78ae

SHA256
6cc2c05c1ba0af3f776cf4ac02e852968f4eeb3e50d76fff2b774fb35c88e649

SHA512
0c29a6f72990bdf87d86c029fbf5ba023cfaf8c8964dc339959e5b8af10c749effb54de8932afa5747395ad8874b917b490aee6eed043099322580a7f7c5cd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
b705ccb617ae0218d0a61d37e1153513

SHA1
58d2aed89e7ef3dd5ea3cb203733ee02f3ee78ae

SHA256
6cc2c05c1ba0af3f776cf4ac02e852968f4eeb3e50d76fff2b774fb35c88e649

SHA512
0c29a6f72990bdf87d86c029fbf5ba023cfaf8c8964dc339959e5b8af10c749effb54de8932afa5747395ad8874b917b490aee6eed043099322580a7f7c5cd3f

Download Submit
memory/8-119-0x0000000000000000-mapping.dmp

Download
memory/2708-115-0x0000000000000000-mapping.dmp

Download
memory/3964-118-0x0000000000000000-mapping.dmp

Download