Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:32
Static task
static1
Behavioral task
behavioral1
Sample
09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe
Resource
win10v2004-en-20220113
General
-
Target
09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe
-
Size
58KB
-
MD5
e1ce252de79420c186c6fcc9a366f968
-
SHA1
c7d3002fcbd854d413a542f50bc98644e0836634
-
SHA256
09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9
-
SHA512
30a8339812b513592d3dbcb2e9927e7e3c7a1701f33dd6370b4e968ddbc37f11b6b8633f5fcdd6340e0f844b4e27fe7388f1aafa2f33495652cbeff6731bb7bb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exepid process 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.execmd.exedescription pid process target process PID 1608 wrote to memory of 1616 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe MediaCenter.exe PID 1608 wrote to memory of 396 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe cmd.exe PID 1608 wrote to memory of 396 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe cmd.exe PID 1608 wrote to memory of 396 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe cmd.exe PID 1608 wrote to memory of 396 1608 09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe cmd.exe PID 396 wrote to memory of 788 396 cmd.exe PING.EXE PID 396 wrote to memory of 788 396 cmd.exe PING.EXE PID 396 wrote to memory of 788 396 cmd.exe PING.EXE PID 396 wrote to memory of 788 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe"C:\Users\Admin\AppData\Local\Temp\09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09b8ecdeea3eb74d51071bfbbe5179e669050cab1318c1a40765ba2e803a78c9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5cfd7fcd7d79f572fd81f40500023eaa
SHA14516c3e8784267fec9f0e0b3465f38c28e9ec6ba
SHA256f5fc31adde09f1fdcb67d539a136b8831e934c93cd4bdc2554fc2ca0bc871058
SHA51254482d77a2531ef8755d7fe62a2d7d52c6615dd9bb269554586d3d08816d3d84ebc2a51a776722edf2bce2560eeefcdc0ce47b9556b8c72ba0d1f4c1735f685a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5cfd7fcd7d79f572fd81f40500023eaa
SHA14516c3e8784267fec9f0e0b3465f38c28e9ec6ba
SHA256f5fc31adde09f1fdcb67d539a136b8831e934c93cd4bdc2554fc2ca0bc871058
SHA51254482d77a2531ef8755d7fe62a2d7d52c6615dd9bb269554586d3d08816d3d84ebc2a51a776722edf2bce2560eeefcdc0ce47b9556b8c72ba0d1f4c1735f685a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5cfd7fcd7d79f572fd81f40500023eaa
SHA14516c3e8784267fec9f0e0b3465f38c28e9ec6ba
SHA256f5fc31adde09f1fdcb67d539a136b8831e934c93cd4bdc2554fc2ca0bc871058
SHA51254482d77a2531ef8755d7fe62a2d7d52c6615dd9bb269554586d3d08816d3d84ebc2a51a776722edf2bce2560eeefcdc0ce47b9556b8c72ba0d1f4c1735f685a
-
memory/1608-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB