Analysis
-
max time kernel
128s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
Resource
win10v2004-en-20220113
General
-
Target
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
-
Size
60KB
-
MD5
78fddc5dd46a5b4b4e3f7a129cb00b11
-
SHA1
f540a2c7d689532991222ddc2018e70853dd8fc1
-
SHA256
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88
-
SHA512
0f46d028795b4cb4bdd4e9ed1c38f662af0d860652922a91510ea0ce3db7506f7c77bf8847780037268e2916ec8188532bf80ab8454fb5a04dfc140c338143b6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exepid process 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exedescription pid process Token: SeIncBasePriorityPrivilege 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.execmd.exedescription pid process target process PID 1732 wrote to memory of 1548 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe MediaCenter.exe PID 1732 wrote to memory of 1548 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe MediaCenter.exe PID 1732 wrote to memory of 1548 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe MediaCenter.exe PID 1732 wrote to memory of 1548 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe MediaCenter.exe PID 1732 wrote to memory of 1796 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe cmd.exe PID 1732 wrote to memory of 1796 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe cmd.exe PID 1732 wrote to memory of 1796 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe cmd.exe PID 1732 wrote to memory of 1796 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe cmd.exe PID 1796 wrote to memory of 1560 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1560 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1560 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1560 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe"C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
682e2bec03f4a23ff081497c1b413d3b
SHA173f80ffd3167e8a2bd122353930f13021794a01f
SHA25619b9b6626aca23761c3335e79720576e842e9931fa2b2098dfdf18848b15333a
SHA512a72e7588bad1482fa317f3542dd418a25aff84b99b02e5c0701a43142188b0156faa5213ef7a2471394739dd313c0ff4527a5c2d7814d672959df123868f3b59
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
682e2bec03f4a23ff081497c1b413d3b
SHA173f80ffd3167e8a2bd122353930f13021794a01f
SHA25619b9b6626aca23761c3335e79720576e842e9931fa2b2098dfdf18848b15333a
SHA512a72e7588bad1482fa317f3542dd418a25aff84b99b02e5c0701a43142188b0156faa5213ef7a2471394739dd313c0ff4527a5c2d7814d672959df123868f3b59
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
682e2bec03f4a23ff081497c1b413d3b
SHA173f80ffd3167e8a2bd122353930f13021794a01f
SHA25619b9b6626aca23761c3335e79720576e842e9931fa2b2098dfdf18848b15333a
SHA512a72e7588bad1482fa317f3542dd418a25aff84b99b02e5c0701a43142188b0156faa5213ef7a2471394739dd313c0ff4527a5c2d7814d672959df123868f3b59
-
memory/1732-55-0x0000000074F11000-0x0000000074F13000-memory.dmpFilesize
8KB