Analysis
-
max time kernel
117s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:00
Static task
static1
Behavioral task
behavioral1
Sample
086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe
Resource
win10v2004-en-20220113
General
-
Target
086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe
-
Size
60KB
-
MD5
32ba6334e4d25b3810ec84d329b789a4
-
SHA1
8bda93f43005ac865708175757ab9eb67700937d
-
SHA256
086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471
-
SHA512
cfe6da311fbf6306f2798fd61214412bd2d387b387fef4a68c344c93d874bc8479743aa586c16f1c8576f17610224efe7ad66a4c791a87e558aad374187a24df
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1092 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 964 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exepid process 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.execmd.exedescription pid process target process PID 1624 wrote to memory of 1092 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe MediaCenter.exe PID 1624 wrote to memory of 964 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe cmd.exe PID 1624 wrote to memory of 964 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe cmd.exe PID 1624 wrote to memory of 964 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe cmd.exe PID 1624 wrote to memory of 964 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe cmd.exe PID 964 wrote to memory of 1824 964 cmd.exe PING.EXE PID 964 wrote to memory of 1824 964 cmd.exe PING.EXE PID 964 wrote to memory of 1824 964 cmd.exe PING.EXE PID 964 wrote to memory of 1824 964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe"C:\Users\Admin\AppData\Local\Temp\086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d6dc6747f3996fe1f2755a69e09ac59c
SHA1452476e66f6bfb97b7f662e531e3037e18a6fa9a
SHA256c95635ab55e329c6a24a0f0d45b7b54bba728c15f5a3d813b6b90cdd410c329e
SHA51273c73da711c3de565cb78bb105412b0c74ec93d5e111570563c8de9f2e998f15d40c5bef29f424d4eb4c29b055b09b5c06f3cd63e1bf313459e737ac3b32e2f7
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d6dc6747f3996fe1f2755a69e09ac59c
SHA1452476e66f6bfb97b7f662e531e3037e18a6fa9a
SHA256c95635ab55e329c6a24a0f0d45b7b54bba728c15f5a3d813b6b90cdd410c329e
SHA51273c73da711c3de565cb78bb105412b0c74ec93d5e111570563c8de9f2e998f15d40c5bef29f424d4eb4c29b055b09b5c06f3cd63e1bf313459e737ac3b32e2f7
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d6dc6747f3996fe1f2755a69e09ac59c
SHA1452476e66f6bfb97b7f662e531e3037e18a6fa9a
SHA256c95635ab55e329c6a24a0f0d45b7b54bba728c15f5a3d813b6b90cdd410c329e
SHA51273c73da711c3de565cb78bb105412b0c74ec93d5e111570563c8de9f2e998f15d40c5bef29f424d4eb4c29b055b09b5c06f3cd63e1bf313459e737ac3b32e2f7
-
memory/1624-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB