Analysis
-
max time kernel
143s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:30
Static task
static1
Behavioral task
behavioral1
Sample
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
Resource
win10v2004-en-20220113
General
-
Target
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
-
Size
58KB
-
MD5
3ba33244da4de771baca5d80dba84477
-
SHA1
9bedc1c8f3c2571a12973f9cbb26a8ef67abf305
-
SHA256
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2
-
SHA512
9ba00480e4d087a5934857a7dd4c1832e54a496159da8071a8f8011bbc3e8378853d689a51c2afba24193d01f4e0e376d6249391983c97fc9b0f55b158cf65b4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1448 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exepid process 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exedescription pid process Token: SeIncBasePriorityPrivilege 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.execmd.exedescription pid process target process PID 960 wrote to memory of 1620 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe MediaCenter.exe PID 960 wrote to memory of 1448 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe cmd.exe PID 960 wrote to memory of 1448 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe cmd.exe PID 960 wrote to memory of 1448 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe cmd.exe PID 960 wrote to memory of 1448 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe cmd.exe PID 1448 wrote to memory of 1844 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1844 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1844 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1844 1448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe"C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cce446f9cc2fc85327c301ce21cc0360
SHA1b44ea0a37a2fc9d43e2590b8f63576bc3662cc1e
SHA256c6e1484582d6a88b53c3fd60ab3c96589fbcd2cc8e81c2535fdab5dd699c413e
SHA5124e3c71684080b19d0da66364d2e489cd5e5bcb3d314b8a3fff6d9e0e86ad61fc0cf30ae6de60119a2990f04e30608e2f6aa47d7fd8dd584588fe6e1027fd7b8e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cce446f9cc2fc85327c301ce21cc0360
SHA1b44ea0a37a2fc9d43e2590b8f63576bc3662cc1e
SHA256c6e1484582d6a88b53c3fd60ab3c96589fbcd2cc8e81c2535fdab5dd699c413e
SHA5124e3c71684080b19d0da66364d2e489cd5e5bcb3d314b8a3fff6d9e0e86ad61fc0cf30ae6de60119a2990f04e30608e2f6aa47d7fd8dd584588fe6e1027fd7b8e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cce446f9cc2fc85327c301ce21cc0360
SHA1b44ea0a37a2fc9d43e2590b8f63576bc3662cc1e
SHA256c6e1484582d6a88b53c3fd60ab3c96589fbcd2cc8e81c2535fdab5dd699c413e
SHA5124e3c71684080b19d0da66364d2e489cd5e5bcb3d314b8a3fff6d9e0e86ad61fc0cf30ae6de60119a2990f04e30608e2f6aa47d7fd8dd584588fe6e1027fd7b8e
-
memory/960-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB