Analysis
-
max time kernel
127s -
max time network
171s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-09-2021 12:29
Static task
static1
Behavioral task
behavioral1
Sample
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe
Resource
win10v20210408
General
-
Target
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe
-
Size
150KB
-
MD5
202ca1b19f8ecc7e648043485ff91082
-
SHA1
df4be15599023beca2a24de920199fcd88f1f034
-
SHA256
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452
-
SHA512
8ae627b9e0ba4d79b31bf4f36db947374f3904e405f77b293f2bb2fa6b87afb69cc0b694db661dc2d53b0f51bf2e2a60053628dabc99363c74c4f70cf1bc1554
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1760 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 1284 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 616 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 240 wrote to memory of 1760 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe 25 PID 240 wrote to memory of 1760 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe 25 PID 240 wrote to memory of 1760 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe 25 PID 240 wrote to memory of 1760 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe 25 PID 240 wrote to memory of 1284 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe 30 PID 240 wrote to memory of 1284 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe 30 PID 240 wrote to memory of 1284 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe 30 PID 240 wrote to memory of 1284 240 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe 30 PID 1284 wrote to memory of 616 1284 cmd.exe 32 PID 1284 wrote to memory of 616 1284 cmd.exe 32 PID 1284 wrote to memory of 616 1284 cmd.exe 32 PID 1284 wrote to memory of 616 1284 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe"C:\Users\Admin\AppData\Local\Temp\7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:616
-
-