Analysis
-
max time kernel
146s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:32
Static task
static1
Behavioral task
behavioral1
Sample
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe
Resource
win10v2004-en-20220113
General
-
Target
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe
-
Size
60KB
-
MD5
b1c10b0fef721b061f93fb1a4c376c23
-
SHA1
e2c6d869e34b5ac03156f721a2ac41758d7bbe0f
-
SHA256
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2
-
SHA512
73911ee241d2897e9064693f941844dd90ea365800245fc3ff608366450f0d0b249cf3e734ace0a9091277840c75b165b5327e02a4c687fa852f0a201ddc243b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 300 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exepid process 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exedescription pid process Token: SeIncBasePriorityPrivilege 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.execmd.exedescription pid process target process PID 868 wrote to memory of 1684 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe MediaCenter.exe PID 868 wrote to memory of 300 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe cmd.exe PID 868 wrote to memory of 300 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe cmd.exe PID 868 wrote to memory of 300 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe cmd.exe PID 868 wrote to memory of 300 868 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe cmd.exe PID 300 wrote to memory of 828 300 cmd.exe PING.EXE PID 300 wrote to memory of 828 300 cmd.exe PING.EXE PID 300 wrote to memory of 828 300 cmd.exe PING.EXE PID 300 wrote to memory of 828 300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe"C:\Users\Admin\AppData\Local\Temp\09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ccc124ea893e9363d77f80bf0444f186
SHA14f9ea2d5b9e7e2e3da3b14db0b9f8b0d2bace59a
SHA256ae519e2a4fa9e0b95ff15868eee78390af4f7973abf13637f9f8812f51082494
SHA512ef0a7aa8fe7b4d4832151078524d1d8295a6a0c2df744f637c97c1368030e24eb86e795faa43b480fe2ed9b0f6ce9ebf29b6e54a65713382bc0295d55c969123
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ccc124ea893e9363d77f80bf0444f186
SHA14f9ea2d5b9e7e2e3da3b14db0b9f8b0d2bace59a
SHA256ae519e2a4fa9e0b95ff15868eee78390af4f7973abf13637f9f8812f51082494
SHA512ef0a7aa8fe7b4d4832151078524d1d8295a6a0c2df744f637c97c1368030e24eb86e795faa43b480fe2ed9b0f6ce9ebf29b6e54a65713382bc0295d55c969123
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ccc124ea893e9363d77f80bf0444f186
SHA14f9ea2d5b9e7e2e3da3b14db0b9f8b0d2bace59a
SHA256ae519e2a4fa9e0b95ff15868eee78390af4f7973abf13637f9f8812f51082494
SHA512ef0a7aa8fe7b4d4832151078524d1d8295a6a0c2df744f637c97c1368030e24eb86e795faa43b480fe2ed9b0f6ce9ebf29b6e54a65713382bc0295d55c969123
-
memory/868-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB