Analysis
-
max time kernel
122s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe
Resource
win10v2004-en-20220113
General
-
Target
098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe
-
Size
58KB
-
MD5
056beb449b8588a0580792a95b0c9d27
-
SHA1
a544af8d0f53b20c18e914f6e39f98bfcb59acbf
-
SHA256
098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382
-
SHA512
415c0c3bd2182ee4792537c2309aa14c2428065fdb82c6fb015569ade98a8adf47019efb0b7e107dafdde37836240da71e922b644b11038f59d0465fbad67a2a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1928 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exepid process 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exedescription pid process Token: SeIncBasePriorityPrivilege 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.execmd.exedescription pid process target process PID 1956 wrote to memory of 1928 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe MediaCenter.exe PID 1956 wrote to memory of 1928 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe MediaCenter.exe PID 1956 wrote to memory of 1928 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe MediaCenter.exe PID 1956 wrote to memory of 1928 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe MediaCenter.exe PID 1956 wrote to memory of 436 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe cmd.exe PID 1956 wrote to memory of 436 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe cmd.exe PID 1956 wrote to memory of 436 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe cmd.exe PID 1956 wrote to memory of 436 1956 098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe cmd.exe PID 436 wrote to memory of 2024 436 cmd.exe PING.EXE PID 436 wrote to memory of 2024 436 cmd.exe PING.EXE PID 436 wrote to memory of 2024 436 cmd.exe PING.EXE PID 436 wrote to memory of 2024 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe"C:\Users\Admin\AppData\Local\Temp\098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\098e95f77bbb1aa8ee0125920c0c423bad8ac0425fe8a3d7e5cb0aae275d4382.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bc7bda25c8e3c6f5b2564e6cdd8d9188
SHA1afbe4908ede2b1fbae795c5968a80a1684cfcdff
SHA2566c3be74d1f7329974ae06291d722570984db3943740d907064cccc2b7b3c5fd8
SHA512ad56766c2e36c6f2b64c7a1bdb8b0289e40293ef8bdf5b3a70b95a4488637704441d03e1629d7cadec945f69aacf81d6b2d63eae910838a0fe356b0264278f91
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bc7bda25c8e3c6f5b2564e6cdd8d9188
SHA1afbe4908ede2b1fbae795c5968a80a1684cfcdff
SHA2566c3be74d1f7329974ae06291d722570984db3943740d907064cccc2b7b3c5fd8
SHA512ad56766c2e36c6f2b64c7a1bdb8b0289e40293ef8bdf5b3a70b95a4488637704441d03e1629d7cadec945f69aacf81d6b2d63eae910838a0fe356b0264278f91
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bc7bda25c8e3c6f5b2564e6cdd8d9188
SHA1afbe4908ede2b1fbae795c5968a80a1684cfcdff
SHA2566c3be74d1f7329974ae06291d722570984db3943740d907064cccc2b7b3c5fd8
SHA512ad56766c2e36c6f2b64c7a1bdb8b0289e40293ef8bdf5b3a70b95a4488637704441d03e1629d7cadec945f69aacf81d6b2d63eae910838a0fe356b0264278f91
-
memory/1956-55-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB