Analysis
-
max time kernel
117s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:08
Static task
static1
Behavioral task
behavioral1
Sample
08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe
Resource
win10v2004-en-20220112
General
-
Target
08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe
-
Size
58KB
-
MD5
d2fd3ac2efa166b635d1ad9a21a545c5
-
SHA1
a119e19bb303bdf76d3d0fc38ed7264edf5a5f9a
-
SHA256
08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823
-
SHA512
490b0013a7bb1b9d5576f83f5118363806cde52054ff8b6a1b686921a0d3d791d0ff1ed1b16153fceb149672a40b9eb4642ef440e79824b8bbbfdcbf058ebc9e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 840 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1152 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exepid process 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exedescription pid process Token: SeIncBasePriorityPrivilege 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.execmd.exedescription pid process target process PID 1660 wrote to memory of 840 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe MediaCenter.exe PID 1660 wrote to memory of 1152 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe cmd.exe PID 1660 wrote to memory of 1152 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe cmd.exe PID 1660 wrote to memory of 1152 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe cmd.exe PID 1660 wrote to memory of 1152 1660 08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe cmd.exe PID 1152 wrote to memory of 1100 1152 cmd.exe PING.EXE PID 1152 wrote to memory of 1100 1152 cmd.exe PING.EXE PID 1152 wrote to memory of 1100 1152 cmd.exe PING.EXE PID 1152 wrote to memory of 1100 1152 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe"C:\Users\Admin\AppData\Local\Temp\08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08051b142908faf03033c52604afec838f8d507dadb939a8b966d19018f31823.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff3c76cbc23c11c72e468ee6772ce742
SHA12d9238c2ed4bf78d460174e9810639f031570f8c
SHA2560e11f1e56c0ebd01f8fe4f9c73c7b98f9b0f2633d6ac8ef1fdd455adcfd91435
SHA512c35bb7947de56b810e95296b233c0532f26168084145b678546014c12b19ff1cb6a301e99d03542174760b4ccd38200e1663c4853c49339a4c271c1239fcda24
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff3c76cbc23c11c72e468ee6772ce742
SHA12d9238c2ed4bf78d460174e9810639f031570f8c
SHA2560e11f1e56c0ebd01f8fe4f9c73c7b98f9b0f2633d6ac8ef1fdd455adcfd91435
SHA512c35bb7947de56b810e95296b233c0532f26168084145b678546014c12b19ff1cb6a301e99d03542174760b4ccd38200e1663c4853c49339a4c271c1239fcda24
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff3c76cbc23c11c72e468ee6772ce742
SHA12d9238c2ed4bf78d460174e9810639f031570f8c
SHA2560e11f1e56c0ebd01f8fe4f9c73c7b98f9b0f2633d6ac8ef1fdd455adcfd91435
SHA512c35bb7947de56b810e95296b233c0532f26168084145b678546014c12b19ff1cb6a301e99d03542174760b4ccd38200e1663c4853c49339a4c271c1239fcda24
-
memory/1660-55-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB