Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:01
Static task
static1
Behavioral task
behavioral1
Sample
0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe
Resource
win10v2004-en-20220113
General
-
Target
0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe
-
Size
36KB
-
MD5
4b8ed849760f3649cb445040b22457b8
-
SHA1
b9551693acf8decd74542304994be95f2181fba6
-
SHA256
0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c
-
SHA512
a8fc26cdb6d0b74193d4b866d646bda25ad22f2c84bc85e544d7621b30dd09aaf8413741a70d810f376391fa09020348dea82a2aaccee4e72f6b0e5e2140e236
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 972 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exepid process 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exedescription pid process Token: SeIncBasePriorityPrivilege 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.execmd.exedescription pid process target process PID 1452 wrote to memory of 1744 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe MediaCenter.exe PID 1452 wrote to memory of 972 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe cmd.exe PID 1452 wrote to memory of 972 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe cmd.exe PID 1452 wrote to memory of 972 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe cmd.exe PID 1452 wrote to memory of 972 1452 0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe cmd.exe PID 972 wrote to memory of 1768 972 cmd.exe PING.EXE PID 972 wrote to memory of 1768 972 cmd.exe PING.EXE PID 972 wrote to memory of 1768 972 cmd.exe PING.EXE PID 972 wrote to memory of 1768 972 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe"C:\Users\Admin\AppData\Local\Temp\0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0862d6560664c8f7aafbafcfdd57df2311beaa0087d5184a9ef76dd646e8ba9c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2f80a0f9d36c1784489922bb7d99206e
SHA16daefc1b87cf901ff3b209aef314498b97981639
SHA2568c115b9c5289ae12f63b315146041f9dbda98b0b5865fe122cac83804c02e714
SHA5122a2a7273c16d5f48c8eb1c67016302b1740864a69d96828a6f2921ee2e4e09b834c95dc07aaf7b472763ca5d191109c74f2eb6a63467f47c1e33b6f4054bcffa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2f80a0f9d36c1784489922bb7d99206e
SHA16daefc1b87cf901ff3b209aef314498b97981639
SHA2568c115b9c5289ae12f63b315146041f9dbda98b0b5865fe122cac83804c02e714
SHA5122a2a7273c16d5f48c8eb1c67016302b1740864a69d96828a6f2921ee2e4e09b834c95dc07aaf7b472763ca5d191109c74f2eb6a63467f47c1e33b6f4054bcffa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2f80a0f9d36c1784489922bb7d99206e
SHA16daefc1b87cf901ff3b209aef314498b97981639
SHA2568c115b9c5289ae12f63b315146041f9dbda98b0b5865fe122cac83804c02e714
SHA5122a2a7273c16d5f48c8eb1c67016302b1740864a69d96828a6f2921ee2e4e09b834c95dc07aaf7b472763ca5d191109c74f2eb6a63467f47c1e33b6f4054bcffa
-
memory/1452-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB