Analysis
-
max time kernel
122s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe
Resource
win10v2004-en-20220112
General
-
Target
0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe
-
Size
36KB
-
MD5
60d200dbaac19379a4af14c712f95289
-
SHA1
3b17416b85e9375533504a49877c77a79922865d
-
SHA256
0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91
-
SHA512
8c2933421d751530ca955e231b533fd3328908f9f39b760a3045285d0300ccdc3cf030544521ec82486ce2e579b39ec978d3c16282742e61ac5d63cc268de8a3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1468 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1792 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exepid process 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exedescription pid process Token: SeIncBasePriorityPrivilege 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.execmd.exedescription pid process target process PID 1296 wrote to memory of 1468 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe MediaCenter.exe PID 1296 wrote to memory of 1792 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe cmd.exe PID 1296 wrote to memory of 1792 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe cmd.exe PID 1296 wrote to memory of 1792 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe cmd.exe PID 1296 wrote to memory of 1792 1296 0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe cmd.exe PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe"C:\Users\Admin\AppData\Local\Temp\0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0972d87b9bbca3bef7654ddb0d8345a5fce38b948a11930a6f4230071e18ab91.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
89ffc0015600670f763a9ecc253e4e92
SHA1b7f506cb1a0ac218261284010b6c11e9ba1ca455
SHA25625bdff0f5c4697609194604ab7f742e9a1c7d794f10e86dacbd59a14144d1c15
SHA5129b727216c52b4ba791ed39acbca3d6a8715fe8766cc4702827a22a5432ce3bcc98099be5556353ca5dcdb6f56c19c8f1b4bd9aec0276a281d80dbac03841d0ad
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
89ffc0015600670f763a9ecc253e4e92
SHA1b7f506cb1a0ac218261284010b6c11e9ba1ca455
SHA25625bdff0f5c4697609194604ab7f742e9a1c7d794f10e86dacbd59a14144d1c15
SHA5129b727216c52b4ba791ed39acbca3d6a8715fe8766cc4702827a22a5432ce3bcc98099be5556353ca5dcdb6f56c19c8f1b4bd9aec0276a281d80dbac03841d0ad
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
89ffc0015600670f763a9ecc253e4e92
SHA1b7f506cb1a0ac218261284010b6c11e9ba1ca455
SHA25625bdff0f5c4697609194604ab7f742e9a1c7d794f10e86dacbd59a14144d1c15
SHA5129b727216c52b4ba791ed39acbca3d6a8715fe8766cc4702827a22a5432ce3bcc98099be5556353ca5dcdb6f56c19c8f1b4bd9aec0276a281d80dbac03841d0ad
-
memory/1296-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB