Analysis
-
max time kernel
132s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe
Resource
win10v2004-en-20220112
General
-
Target
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe
-
Size
35KB
-
MD5
ca050cb980c4e1c3183d1a1e6d35be97
-
SHA1
52de54ab815cd9ffe60459de44f3aa970e8293f8
-
SHA256
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d
-
SHA512
b2430c7e91cafe99e497225b918893357ea9bfb12942f80020cad30e7a522adfd878782fe632553efd39f2c920971366dee646554ef17f58d491e3f9d7ffd84d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 640 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exepid process 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exedescription pid process Token: SeIncBasePriorityPrivilege 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.execmd.exedescription pid process target process PID 820 wrote to memory of 516 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe MediaCenter.exe PID 820 wrote to memory of 516 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe MediaCenter.exe PID 820 wrote to memory of 516 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe MediaCenter.exe PID 820 wrote to memory of 516 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe MediaCenter.exe PID 820 wrote to memory of 640 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe cmd.exe PID 820 wrote to memory of 640 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe cmd.exe PID 820 wrote to memory of 640 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe cmd.exe PID 820 wrote to memory of 640 820 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe cmd.exe PID 640 wrote to memory of 1140 640 cmd.exe PING.EXE PID 640 wrote to memory of 1140 640 cmd.exe PING.EXE PID 640 wrote to memory of 1140 640 cmd.exe PING.EXE PID 640 wrote to memory of 1140 640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe"C:\Users\Admin\AppData\Local\Temp\099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b447bfbc589e0a31260558c803b0c32b
SHA19735a0782e726cf544e7e6b84101650b06c48a40
SHA25684bf5f6405e2af21537f22ac33b56bd4b50a5ec5552ddd25b871f282903489dc
SHA512b3e154f95b13463e2fddc26ac7eb11f859d76f614d95372135e24d949360b3063cd01e225b086942f39eb867d1ce1d9fff3db7d6571aa7b96b0cbbbe103d2f3e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b447bfbc589e0a31260558c803b0c32b
SHA19735a0782e726cf544e7e6b84101650b06c48a40
SHA25684bf5f6405e2af21537f22ac33b56bd4b50a5ec5552ddd25b871f282903489dc
SHA512b3e154f95b13463e2fddc26ac7eb11f859d76f614d95372135e24d949360b3063cd01e225b086942f39eb867d1ce1d9fff3db7d6571aa7b96b0cbbbe103d2f3e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b447bfbc589e0a31260558c803b0c32b
SHA19735a0782e726cf544e7e6b84101650b06c48a40
SHA25684bf5f6405e2af21537f22ac33b56bd4b50a5ec5552ddd25b871f282903489dc
SHA512b3e154f95b13463e2fddc26ac7eb11f859d76f614d95372135e24d949360b3063cd01e225b086942f39eb867d1ce1d9fff3db7d6571aa7b96b0cbbbe103d2f3e
-
memory/820-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB