Analysis
-
max time kernel
157s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:06
Static task
static1
Behavioral task
behavioral1
Sample
081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe
Resource
win10v2004-en-20220113
General
-
Target
081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe
-
Size
35KB
-
MD5
0f8e10bedc21f836987ffdfc07274536
-
SHA1
a67f369ccc8e132d331b9d86d543b09dafb6e135
-
SHA256
081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02
-
SHA512
9a454b2878e556ab0f6e7038c4337fbe0460a44484441a64762c222b044c4a7d1886a9b3903380c20d770234f0d70723c1669da6dee6573895a61342beb304a9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exepid process 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exedescription pid process Token: SeIncBasePriorityPrivilege 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.execmd.exedescription pid process target process PID 1860 wrote to memory of 268 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe MediaCenter.exe PID 1860 wrote to memory of 976 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe cmd.exe PID 1860 wrote to memory of 976 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe cmd.exe PID 1860 wrote to memory of 976 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe cmd.exe PID 1860 wrote to memory of 976 1860 081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe cmd.exe PID 976 wrote to memory of 2020 976 cmd.exe PING.EXE PID 976 wrote to memory of 2020 976 cmd.exe PING.EXE PID 976 wrote to memory of 2020 976 cmd.exe PING.EXE PID 976 wrote to memory of 2020 976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe"C:\Users\Admin\AppData\Local\Temp\081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\081752a2846e278be8ba2ac9d2db3258427befde96f36febd9da5499d1fc0b02.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
feeae6cfcd926aafe42a151d1a615063
SHA1db1f9a55c4590de394dfa4a902f5fc3bdcdb1021
SHA256b5e8a2aeccf91678d8339df297d64961df596b2d3722198dfdb7c3da0f913d2f
SHA5126045afdacb9354d7d94c12c4cff68c63d7a17b6e1c4161de56e7ef192ace1df19d9a05e8564193ef4eff91c8a9a036e44da34a0ecac7cdc943d7a60474c64cf5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
feeae6cfcd926aafe42a151d1a615063
SHA1db1f9a55c4590de394dfa4a902f5fc3bdcdb1021
SHA256b5e8a2aeccf91678d8339df297d64961df596b2d3722198dfdb7c3da0f913d2f
SHA5126045afdacb9354d7d94c12c4cff68c63d7a17b6e1c4161de56e7ef192ace1df19d9a05e8564193ef4eff91c8a9a036e44da34a0ecac7cdc943d7a60474c64cf5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
feeae6cfcd926aafe42a151d1a615063
SHA1db1f9a55c4590de394dfa4a902f5fc3bdcdb1021
SHA256b5e8a2aeccf91678d8339df297d64961df596b2d3722198dfdb7c3da0f913d2f
SHA5126045afdacb9354d7d94c12c4cff68c63d7a17b6e1c4161de56e7ef192ace1df19d9a05e8564193ef4eff91c8a9a036e44da34a0ecac7cdc943d7a60474c64cf5
-
memory/1860-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB