Analysis
-
max time kernel
128s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:14
Static task
static1
Behavioral task
behavioral1
Sample
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
Resource
win10v2004-en-20220112
General
-
Target
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
-
Size
60KB
-
MD5
7c53376faeaa9f2b0e1ff98b5d6867e2
-
SHA1
dc7749eebbcd5943913436d5cab1d1afffae23ce
-
SHA256
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb
-
SHA512
0a94f36e7a9df284eea67aa897e4944b682ad4e162a85ba36d4e6811f2c610398c6af63f1b4b8a97e24dcba7d1abcb2d867697404d91ee3de0c6bd7a9dc74ff2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1676 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1624 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exepid process 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exedescription pid process Token: SeIncBasePriorityPrivilege 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.execmd.exedescription pid process target process PID 740 wrote to memory of 1676 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe MediaCenter.exe PID 740 wrote to memory of 1676 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe MediaCenter.exe PID 740 wrote to memory of 1676 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe MediaCenter.exe PID 740 wrote to memory of 1676 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe MediaCenter.exe PID 740 wrote to memory of 1624 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe cmd.exe PID 740 wrote to memory of 1624 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe cmd.exe PID 740 wrote to memory of 1624 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe cmd.exe PID 740 wrote to memory of 1624 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe cmd.exe PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe"C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
063e84049214f468b26076fc20b2efe1
SHA12d3991a7c0674bb1b07885c709b5a5a1a852e07b
SHA256beeaadd153139624931ce3ea6c50de0e14b8655b5a13a5949410905d36983f24
SHA51207f6ad9a47bd31bd0de35b70b0162dd11bc6b8d1da92aecbce924a8a9c10db98da49e43541bec80373e3f3b327e006ebbe7c6b7285d60e40da4cd728be5973c1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
063e84049214f468b26076fc20b2efe1
SHA12d3991a7c0674bb1b07885c709b5a5a1a852e07b
SHA256beeaadd153139624931ce3ea6c50de0e14b8655b5a13a5949410905d36983f24
SHA51207f6ad9a47bd31bd0de35b70b0162dd11bc6b8d1da92aecbce924a8a9c10db98da49e43541bec80373e3f3b327e006ebbe7c6b7285d60e40da4cd728be5973c1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
063e84049214f468b26076fc20b2efe1
SHA12d3991a7c0674bb1b07885c709b5a5a1a852e07b
SHA256beeaadd153139624931ce3ea6c50de0e14b8655b5a13a5949410905d36983f24
SHA51207f6ad9a47bd31bd0de35b70b0162dd11bc6b8d1da92aecbce924a8a9c10db98da49e43541bec80373e3f3b327e006ebbe7c6b7285d60e40da4cd728be5973c1
-
memory/740-55-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB