Analysis
-
max time kernel
119s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe
Resource
win10v2004-en-20220113
General
-
Target
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe
-
Size
36KB
-
MD5
b6ae72a417ca1b92ac782925836ac536
-
SHA1
1d8ec8567db01cc37d247a59f8d53c4107187600
-
SHA256
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb
-
SHA512
eaf52110cf3a8fe3d297c69e79e0e854371b1e6f0eeacff44fe7c6bbbb4989303a456d47a921857606a73353954fd4e901fcb3bd90dcbf96bd2d655e9636d72d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1816 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exepid process 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exedescription pid process Token: SeIncBasePriorityPrivilege 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.execmd.exedescription pid process target process PID 1452 wrote to memory of 268 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe MediaCenter.exe PID 1452 wrote to memory of 268 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe MediaCenter.exe PID 1452 wrote to memory of 268 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe MediaCenter.exe PID 1452 wrote to memory of 268 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe MediaCenter.exe PID 1452 wrote to memory of 1816 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe cmd.exe PID 1452 wrote to memory of 1816 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe cmd.exe PID 1452 wrote to memory of 1816 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe cmd.exe PID 1452 wrote to memory of 1816 1452 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe cmd.exe PID 1816 wrote to memory of 1812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 1812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 1812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 1812 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe"C:\Users\Admin\AppData\Local\Temp\098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
284ccde44c2a0b5e3a3458985b12d50f
SHA1d36a9f617c244d190318bc1b86dff8ea2eb8ecb1
SHA256eeff4236a4ec0819ecfd8a4d839d238db1ec2618fd516316ac692250d348338f
SHA5127e2ae52992ee7546a34bf947838eb9c45db3cfd7b473dd187e8b367e9c3a7b3beffbbea666799bd9cad8d9ee75de00abd8369898e5d175c9eb544de9e7574638
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
284ccde44c2a0b5e3a3458985b12d50f
SHA1d36a9f617c244d190318bc1b86dff8ea2eb8ecb1
SHA256eeff4236a4ec0819ecfd8a4d839d238db1ec2618fd516316ac692250d348338f
SHA5127e2ae52992ee7546a34bf947838eb9c45db3cfd7b473dd187e8b367e9c3a7b3beffbbea666799bd9cad8d9ee75de00abd8369898e5d175c9eb544de9e7574638
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
284ccde44c2a0b5e3a3458985b12d50f
SHA1d36a9f617c244d190318bc1b86dff8ea2eb8ecb1
SHA256eeff4236a4ec0819ecfd8a4d839d238db1ec2618fd516316ac692250d348338f
SHA5127e2ae52992ee7546a34bf947838eb9c45db3cfd7b473dd187e8b367e9c3a7b3beffbbea666799bd9cad8d9ee75de00abd8369898e5d175c9eb544de9e7574638
-
memory/1452-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB