Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 12:27
Static task
static1
Behavioral task
behavioral1
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10-en-20210920
General
-
Target
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
-
Size
216KB
-
MD5
052e970aff7e2e0e3209417a92f4e2c6
-
SHA1
32c0cb93f35e65295a02d362c3bf4fd71fa9365c
-
SHA256
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
-
SHA512
38d19aea666d07db8c2f2925d3d7af99d03936cfda936fbc994d00ce66b27147647ca28bae684b99fdbbc7e424b34b13c5c5a6d4739d4a46934ae2ba744e8c8d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2708 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 8 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2524 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2708 2524 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 70 PID 2524 wrote to memory of 2708 2524 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 70 PID 2524 wrote to memory of 2708 2524 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 70 PID 2524 wrote to memory of 3964 2524 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 71 PID 2524 wrote to memory of 3964 2524 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 71 PID 2524 wrote to memory of 3964 2524 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe 71 PID 3964 wrote to memory of 8 3964 cmd.exe 73 PID 3964 wrote to memory of 8 3964 cmd.exe 73 PID 3964 wrote to memory of 8 3964 cmd.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:8
-
-