Analysis
-
max time kernel
123s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe
Resource
win10v2004-en-20220112
General
-
Target
09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe
-
Size
36KB
-
MD5
e2b9cfc20b95f5969870bd2a9a548f14
-
SHA1
0f60a1382696226aaf4bc188f5ed360f190d8cf1
-
SHA256
09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca
-
SHA512
414e0b3dd568daaf9e92146559eccd68ea0e0ba55a5c362c75cbe770dfb9d2292fbeade815f243ee0c892b42ded9fc8e262249e8fbf7af1aab9781db01bda6db
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1660 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 800 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exepid process 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exedescription pid process Token: SeIncBasePriorityPrivilege 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.execmd.exedescription pid process target process PID 748 wrote to memory of 1660 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe MediaCenter.exe PID 748 wrote to memory of 1660 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe MediaCenter.exe PID 748 wrote to memory of 1660 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe MediaCenter.exe PID 748 wrote to memory of 1660 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe MediaCenter.exe PID 748 wrote to memory of 800 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe cmd.exe PID 748 wrote to memory of 800 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe cmd.exe PID 748 wrote to memory of 800 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe cmd.exe PID 748 wrote to memory of 800 748 09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe cmd.exe PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe"C:\Users\Admin\AppData\Local\Temp\09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09a9d3015167fce4c61a135e3d1cf290dcdf98427a2b7fe7c8c449faefd27cca.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fa9e4598ee34664b306bc3fb3d6bb219
SHA1269b9127dc9c1e5b41cf15944a369e074ca17686
SHA2562f089282843f1e33d56a4fc61f984739e55fd50675bc78809d8ca24ad0bf115c
SHA512bf687692c1aa848617d8b5eb01a973fbf93e51770f4bf55170f519d180022af5f2573e3908862da532b0ab5be27ce376a95843e73028c9d943cdac2c9a4da49e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fa9e4598ee34664b306bc3fb3d6bb219
SHA1269b9127dc9c1e5b41cf15944a369e074ca17686
SHA2562f089282843f1e33d56a4fc61f984739e55fd50675bc78809d8ca24ad0bf115c
SHA512bf687692c1aa848617d8b5eb01a973fbf93e51770f4bf55170f519d180022af5f2573e3908862da532b0ab5be27ce376a95843e73028c9d943cdac2c9a4da49e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fa9e4598ee34664b306bc3fb3d6bb219
SHA1269b9127dc9c1e5b41cf15944a369e074ca17686
SHA2562f089282843f1e33d56a4fc61f984739e55fd50675bc78809d8ca24ad0bf115c
SHA512bf687692c1aa848617d8b5eb01a973fbf93e51770f4bf55170f519d180022af5f2573e3908862da532b0ab5be27ce376a95843e73028c9d943cdac2c9a4da49e
-
memory/748-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB