Analysis
-
max time kernel
118s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe
Resource
win10v2004-en-20220113
General
-
Target
09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe
-
Size
60KB
-
MD5
38bf3cbd8fceee5757da8cd27d284929
-
SHA1
00af2c94a1bdf547836949b7309637860d05094b
-
SHA256
09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee
-
SHA512
da5073e13c2184be20ec60e6f134dbbc63163fbe0b0a3f105b35ba7556c6c56161ede85dc9b7e64c822da3d66cdbd50b2a9c869eaad8f036eef621e88d5b9953
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1820 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exepid process 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exedescription pid process Token: SeIncBasePriorityPrivilege 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.execmd.exedescription pid process target process PID 732 wrote to memory of 948 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe MediaCenter.exe PID 732 wrote to memory of 948 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe MediaCenter.exe PID 732 wrote to memory of 948 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe MediaCenter.exe PID 732 wrote to memory of 948 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe MediaCenter.exe PID 732 wrote to memory of 1820 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe cmd.exe PID 732 wrote to memory of 1820 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe cmd.exe PID 732 wrote to memory of 1820 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe cmd.exe PID 732 wrote to memory of 1820 732 09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe cmd.exe PID 1820 wrote to memory of 968 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 968 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 968 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 968 1820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe"C:\Users\Admin\AppData\Local\Temp\09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09e90fad290dce726c5bfab8431358ac3b26f689d43d7c568e4e41fc8ea658ee.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
077ded1b592d7305eb40d59594ed02b2
SHA142c4dc45eb7cf163975de1ae8530891e1ae85dc1
SHA256fc972b0e110f524d5d0bfddfe72cda7109a2b7d313b535eb6a148b4967caeceb
SHA512256065539777c093fa108a3bd2fc9ffe901e795996437bd4404404f39a8e6a64844ac0adb0b625c9bd71f575936dfe9d0e0f5e42a235d3ad9b33723f4b54ad76
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
077ded1b592d7305eb40d59594ed02b2
SHA142c4dc45eb7cf163975de1ae8530891e1ae85dc1
SHA256fc972b0e110f524d5d0bfddfe72cda7109a2b7d313b535eb6a148b4967caeceb
SHA512256065539777c093fa108a3bd2fc9ffe901e795996437bd4404404f39a8e6a64844ac0adb0b625c9bd71f575936dfe9d0e0f5e42a235d3ad9b33723f4b54ad76
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
077ded1b592d7305eb40d59594ed02b2
SHA142c4dc45eb7cf163975de1ae8530891e1ae85dc1
SHA256fc972b0e110f524d5d0bfddfe72cda7109a2b7d313b535eb6a148b4967caeceb
SHA512256065539777c093fa108a3bd2fc9ffe901e795996437bd4404404f39a8e6a64844ac0adb0b625c9bd71f575936dfe9d0e0f5e42a235d3ad9b33723f4b54ad76
-
memory/732-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB