Analysis
-
max time kernel
123s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe
Resource
win10v2004-en-20220113
General
-
Target
0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe
-
Size
58KB
-
MD5
cbccf3ae80d0b397ff0c9d0083ccad68
-
SHA1
528f885ff4dbaebeb0de0ad9763585dce4a5657d
-
SHA256
0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871
-
SHA512
42d4e5dc4a6f53cabe1800deb470a04f211ee6174a3cf833063acb74b9c58b3f31d4510c4c3c6b0101c2cd78befcd604ded7e9d743d35d43f799bf8e5a89791b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1632 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 788 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exepid process 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.execmd.exedescription pid process target process PID 1628 wrote to memory of 1632 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe MediaCenter.exe PID 1628 wrote to memory of 788 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe cmd.exe PID 1628 wrote to memory of 788 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe cmd.exe PID 1628 wrote to memory of 788 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe cmd.exe PID 1628 wrote to memory of 788 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe cmd.exe PID 788 wrote to memory of 1948 788 cmd.exe PING.EXE PID 788 wrote to memory of 1948 788 cmd.exe PING.EXE PID 788 wrote to memory of 1948 788 cmd.exe PING.EXE PID 788 wrote to memory of 1948 788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe"C:\Users\Admin\AppData\Local\Temp\0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7ff72ad785d5fc47afd1970795d9554f
SHA16c0a97a4bb71f646a5e6557c336678f73071e15c
SHA25684534b84638650952f2f43b261102f2120af201d9ba489b525b8ed5786e20ac4
SHA5127004a7ba1e7551988c1068656450dde9dc10f4483c25af633132fe2a8447a56970e214ff9fafee618e97c33abd7ee06a38eb19b76379563a3bd91d267adf7697
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7ff72ad785d5fc47afd1970795d9554f
SHA16c0a97a4bb71f646a5e6557c336678f73071e15c
SHA25684534b84638650952f2f43b261102f2120af201d9ba489b525b8ed5786e20ac4
SHA5127004a7ba1e7551988c1068656450dde9dc10f4483c25af633132fe2a8447a56970e214ff9fafee618e97c33abd7ee06a38eb19b76379563a3bd91d267adf7697
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7ff72ad785d5fc47afd1970795d9554f
SHA16c0a97a4bb71f646a5e6557c336678f73071e15c
SHA25684534b84638650952f2f43b261102f2120af201d9ba489b525b8ed5786e20ac4
SHA5127004a7ba1e7551988c1068656450dde9dc10f4483c25af633132fe2a8447a56970e214ff9fafee618e97c33abd7ee06a38eb19b76379563a3bd91d267adf7697
-
memory/1628-55-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB