Analysis
-
max time kernel
118s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:39
Static task
static1
Behavioral task
behavioral1
Sample
0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe
Resource
win10v2004-en-20220112
General
-
Target
0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe
-
Size
36KB
-
MD5
2963bd982cf659f4eaf2eefbc22edf87
-
SHA1
12476df162028e0fea086bc3927fe38558cfc343
-
SHA256
0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e
-
SHA512
933de770010d56c25746c4c9fc0e78a24fcbf4cb9b7f8802c3306eed7020a7691bb3ea264b452d713c8019ebc49218d9414fb6648e8acb465e5267b31caee1f1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1020 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exepid process 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exedescription pid process Token: SeIncBasePriorityPrivilege 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.execmd.exedescription pid process target process PID 1320 wrote to memory of 1652 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe MediaCenter.exe PID 1320 wrote to memory of 1020 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe cmd.exe PID 1320 wrote to memory of 1020 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe cmd.exe PID 1320 wrote to memory of 1020 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe cmd.exe PID 1320 wrote to memory of 1020 1320 0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe cmd.exe PID 1020 wrote to memory of 1476 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 1476 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 1476 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 1476 1020 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe"C:\Users\Admin\AppData\Local\Temp\0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0962ed4cde8b1ffd72fe804a49651c88723e0e39512227a2602864a36237154e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
46f3a7924d2163d4ec1d02cdac67aeaf
SHA11aa65393a4b8f940ec6353aadb14f7134f603487
SHA2566a7e55cb51f28efa0c7befc5b68542875b2f04c6062b6afe1cd46f66053ca289
SHA5120432671b5f81512d5b7899a884f99fb536a417aa71dd22cd454ecf14102f2f3fb39a3c55f1727cbe6b40b473df5a7a995eb708935dbddacdc63c4213c1313c54
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
46f3a7924d2163d4ec1d02cdac67aeaf
SHA11aa65393a4b8f940ec6353aadb14f7134f603487
SHA2566a7e55cb51f28efa0c7befc5b68542875b2f04c6062b6afe1cd46f66053ca289
SHA5120432671b5f81512d5b7899a884f99fb536a417aa71dd22cd454ecf14102f2f3fb39a3c55f1727cbe6b40b473df5a7a995eb708935dbddacdc63c4213c1313c54
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
46f3a7924d2163d4ec1d02cdac67aeaf
SHA11aa65393a4b8f940ec6353aadb14f7134f603487
SHA2566a7e55cb51f28efa0c7befc5b68542875b2f04c6062b6afe1cd46f66053ca289
SHA5120432671b5f81512d5b7899a884f99fb536a417aa71dd22cd454ecf14102f2f3fb39a3c55f1727cbe6b40b473df5a7a995eb708935dbddacdc63c4213c1313c54
-
memory/1320-54-0x0000000074B21000-0x0000000074B23000-memory.dmpFilesize
8KB