Analysis
-
max time kernel
148s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe
Resource
win10v2004-en-20220113
General
-
Target
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe
-
Size
58KB
-
MD5
99b6601fa0cd928585de45afc7b8556c
-
SHA1
27b783dc1296c9625796a85654e44132d2b661ec
-
SHA256
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6
-
SHA512
7ccaac4c13e0af0864d59de225e062cab768042a82a39a1f3ef40e8498e0ef4ccd67077d7aadf6cc39c2ec5c82dae285dfdc5cbc98cec4530aaeae22f550e9f0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 788 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1668 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exepid process 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exedescription pid process Token: SeIncBasePriorityPrivilege 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.execmd.exedescription pid process target process PID 736 wrote to memory of 788 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe MediaCenter.exe PID 736 wrote to memory of 788 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe MediaCenter.exe PID 736 wrote to memory of 788 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe MediaCenter.exe PID 736 wrote to memory of 788 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe MediaCenter.exe PID 736 wrote to memory of 1668 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe cmd.exe PID 736 wrote to memory of 1668 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe cmd.exe PID 736 wrote to memory of 1668 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe cmd.exe PID 736 wrote to memory of 1668 736 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe cmd.exe PID 1668 wrote to memory of 1664 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1664 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1664 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1664 1668 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe"C:\Users\Admin\AppData\Local\Temp\09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e50ade55100b389af15209392c4babdc
SHA1fe7b80ad265f82fd7e01dd41cd056a2703b27ac5
SHA256569d8ca8790b04b1bd98fc5118fec1c4ae6e682e0d12cacb0f22c331e46417b9
SHA512023f2a0ab442c6dd81cdff90dd9ad1740bb9e271300a0417608069524a1fdb8dc4c80c1df462622cf03abade306254d88add2a7481b0723536b187ca4cfd4cd8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e50ade55100b389af15209392c4babdc
SHA1fe7b80ad265f82fd7e01dd41cd056a2703b27ac5
SHA256569d8ca8790b04b1bd98fc5118fec1c4ae6e682e0d12cacb0f22c331e46417b9
SHA512023f2a0ab442c6dd81cdff90dd9ad1740bb9e271300a0417608069524a1fdb8dc4c80c1df462622cf03abade306254d88add2a7481b0723536b187ca4cfd4cd8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e50ade55100b389af15209392c4babdc
SHA1fe7b80ad265f82fd7e01dd41cd056a2703b27ac5
SHA256569d8ca8790b04b1bd98fc5118fec1c4ae6e682e0d12cacb0f22c331e46417b9
SHA512023f2a0ab442c6dd81cdff90dd9ad1740bb9e271300a0417608069524a1fdb8dc4c80c1df462622cf03abade306254d88add2a7481b0723536b187ca4cfd4cd8
-
memory/736-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB