Analysis
-
max time kernel
120s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:31
Static task
static1
Behavioral task
behavioral1
Sample
09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe
Resource
win10v2004-en-20220113
General
-
Target
09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe
-
Size
58KB
-
MD5
613735f5aa75dafa2f5cc62da29d42c8
-
SHA1
f2fa79b72bfce1efc454b7fb26c039436a611016
-
SHA256
09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3
-
SHA512
0f314edddf4c7fe995847c4ab56c3149fcda84d0e7aca2e53fc13dbdb53395aea519c1a7bbabc0edcf00340325be909ec150e891375c40d19a221113fefa488b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 972 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exepid process 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exedescription pid process Token: SeIncBasePriorityPrivilege 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.execmd.exedescription pid process target process PID 1388 wrote to memory of 972 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe MediaCenter.exe PID 1388 wrote to memory of 972 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe MediaCenter.exe PID 1388 wrote to memory of 972 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe MediaCenter.exe PID 1388 wrote to memory of 972 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe MediaCenter.exe PID 1388 wrote to memory of 776 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe cmd.exe PID 1388 wrote to memory of 776 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe cmd.exe PID 1388 wrote to memory of 776 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe cmd.exe PID 1388 wrote to memory of 776 1388 09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe cmd.exe PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe"C:\Users\Admin\AppData\Local\Temp\09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09cc1f6e99859d5fc8cb85b02cfe621d634616c148bae97963d1a65ad79badd3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
167f7598d4da83e0a9ec0a47cfcbeddf
SHA1df4e750ca93cc6cb541955abe5fba17212e04068
SHA25695d37e23e7d1cfda70eb63ddc97c58d33b74904be3f17f8710cbbb929ed4de9b
SHA512581e60b9d196f0135f985e3dbfff8c5da1dfe7471719048fcd1e2c4ac36e2b4cae8e55ac5920b081457aa8ed0fdcdb7a6abd192899e281ebce8463896ddb2393
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
167f7598d4da83e0a9ec0a47cfcbeddf
SHA1df4e750ca93cc6cb541955abe5fba17212e04068
SHA25695d37e23e7d1cfda70eb63ddc97c58d33b74904be3f17f8710cbbb929ed4de9b
SHA512581e60b9d196f0135f985e3dbfff8c5da1dfe7471719048fcd1e2c4ac36e2b4cae8e55ac5920b081457aa8ed0fdcdb7a6abd192899e281ebce8463896ddb2393
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
167f7598d4da83e0a9ec0a47cfcbeddf
SHA1df4e750ca93cc6cb541955abe5fba17212e04068
SHA25695d37e23e7d1cfda70eb63ddc97c58d33b74904be3f17f8710cbbb929ed4de9b
SHA512581e60b9d196f0135f985e3dbfff8c5da1dfe7471719048fcd1e2c4ac36e2b4cae8e55ac5920b081457aa8ed0fdcdb7a6abd192899e281ebce8463896ddb2393
-
memory/1388-54-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB