Analysis
-
max time kernel
121s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe
Resource
win10v2004-en-20220113
General
-
Target
09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe
-
Size
60KB
-
MD5
935708911966d9f48ad381e8c0887589
-
SHA1
42cd731c525d7565e35d1c222daf59da089f15f7
-
SHA256
09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb
-
SHA512
65e87101127871ecc3396eb865b0f6a9e87ed2925d739f4c23ab5f62835da4372b494fa275a2fb81cba71d97c97b10c1bf711d3ca2ffa28c2cfd8daf826dcf38
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1284 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exepid process 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exedescription pid process Token: SeIncBasePriorityPrivilege 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.execmd.exedescription pid process target process PID 1332 wrote to memory of 1284 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe MediaCenter.exe PID 1332 wrote to memory of 1284 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe MediaCenter.exe PID 1332 wrote to memory of 1284 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe MediaCenter.exe PID 1332 wrote to memory of 1284 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe MediaCenter.exe PID 1332 wrote to memory of 1952 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe cmd.exe PID 1332 wrote to memory of 1952 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe cmd.exe PID 1332 wrote to memory of 1952 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe cmd.exe PID 1332 wrote to memory of 1952 1332 09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe cmd.exe PID 1952 wrote to memory of 1820 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1820 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1820 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1820 1952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe"C:\Users\Admin\AppData\Local\Temp\09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09f350fe65b7a9e0120250707bae8ee945b6b33f8229275e8b096e84a2d977fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
969cd97087226fd9e19667a56ddf947b
SHA130c6515608e9c51017d4753ec6f01e97790f709b
SHA2568181821897a4e15d61cbe2c316e6f9549603576d15303ae53d719e306f8008fd
SHA512f83aea285ff40b1ef8e3b73585ac2fe1bdb29f89fb290622253087ea4578df2dd3594e3baee62a36a09e0b7cb09ee9b8a88ad9cb86e9e5abdc076abcaa405392
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
969cd97087226fd9e19667a56ddf947b
SHA130c6515608e9c51017d4753ec6f01e97790f709b
SHA2568181821897a4e15d61cbe2c316e6f9549603576d15303ae53d719e306f8008fd
SHA512f83aea285ff40b1ef8e3b73585ac2fe1bdb29f89fb290622253087ea4578df2dd3594e3baee62a36a09e0b7cb09ee9b8a88ad9cb86e9e5abdc076abcaa405392
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
969cd97087226fd9e19667a56ddf947b
SHA130c6515608e9c51017d4753ec6f01e97790f709b
SHA2568181821897a4e15d61cbe2c316e6f9549603576d15303ae53d719e306f8008fd
SHA512f83aea285ff40b1ef8e3b73585ac2fe1bdb29f89fb290622253087ea4578df2dd3594e3baee62a36a09e0b7cb09ee9b8a88ad9cb86e9e5abdc076abcaa405392
-
memory/1332-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB