Analysis
-
max time kernel
158s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:07
Static task
static1
Behavioral task
behavioral1
Sample
080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe
Resource
win10v2004-en-20220113
General
-
Target
080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe
-
Size
36KB
-
MD5
eb5f547cc1a5766e180726d5fde64846
-
SHA1
79d06e77abd5b4b07ebf497c8658476379bb372e
-
SHA256
080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77
-
SHA512
40e2378898557eac4ab6e83670dfe1f819e73b05bcfbd407e1dd688017c6fb32d3a988305afedda4e49173857a155696455359ec288c9868b3e58e057b2c754f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1536 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1096 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exepid process 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exedescription pid process Token: SeIncBasePriorityPrivilege 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.execmd.exedescription pid process target process PID 900 wrote to memory of 1536 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe MediaCenter.exe PID 900 wrote to memory of 1536 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe MediaCenter.exe PID 900 wrote to memory of 1536 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe MediaCenter.exe PID 900 wrote to memory of 1536 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe MediaCenter.exe PID 900 wrote to memory of 1096 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe cmd.exe PID 900 wrote to memory of 1096 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe cmd.exe PID 900 wrote to memory of 1096 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe cmd.exe PID 900 wrote to memory of 1096 900 080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe cmd.exe PID 1096 wrote to memory of 1076 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 1076 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 1076 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 1076 1096 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe"C:\Users\Admin\AppData\Local\Temp\080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\080d2456f11dc5f4b2d6ec4c7052e427f560346d7ab6cb55768e167d97a48a77.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
74c722306e5f73c597c95b10c604cb73
SHA1d452bf44b47b55176eaaab9dce5ce76402e432af
SHA25660e8b9c508ce9e5d38801bd29941b4ce7bf151c956e485a82796a3ff84aef71a
SHA5129965b5a4175510359eec01049c18e0135c4085fb7ede33fc66ec4d577ad74e42452d0c48da3f9cc7a342dcccaafe380d36fea23168d9761d115cc4696952e338
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
74c722306e5f73c597c95b10c604cb73
SHA1d452bf44b47b55176eaaab9dce5ce76402e432af
SHA25660e8b9c508ce9e5d38801bd29941b4ce7bf151c956e485a82796a3ff84aef71a
SHA5129965b5a4175510359eec01049c18e0135c4085fb7ede33fc66ec4d577ad74e42452d0c48da3f9cc7a342dcccaafe380d36fea23168d9761d115cc4696952e338
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
74c722306e5f73c597c95b10c604cb73
SHA1d452bf44b47b55176eaaab9dce5ce76402e432af
SHA25660e8b9c508ce9e5d38801bd29941b4ce7bf151c956e485a82796a3ff84aef71a
SHA5129965b5a4175510359eec01049c18e0135c4085fb7ede33fc66ec4d577ad74e42452d0c48da3f9cc7a342dcccaafe380d36fea23168d9761d115cc4696952e338
-
memory/900-55-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB