Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:42
Static task
static1
Behavioral task
behavioral1
Sample
093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe
Resource
win10v2004-en-20220112
General
-
Target
093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe
-
Size
60KB
-
MD5
82e4f3061dc202892388523855316337
-
SHA1
833411b04196fc3301236c64031e68f7557ef4fe
-
SHA256
093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3
-
SHA512
b6523569c6cb07c50de6852ed5b38f1756920d0c8f6f686ffc0a00c6b45e92554f04e834dc6569af92a286b915ad7c9a6acf888888f49c9b4d51f500e3487ed6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exepid process 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.execmd.exedescription pid process target process PID 1204 wrote to memory of 1600 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe MediaCenter.exe PID 1204 wrote to memory of 1528 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe cmd.exe PID 1204 wrote to memory of 1528 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe cmd.exe PID 1204 wrote to memory of 1528 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe cmd.exe PID 1204 wrote to memory of 1528 1204 093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe cmd.exe PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe"C:\Users\Admin\AppData\Local\Temp\093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\093fe99911ef1ae387c4b0c1edab21d126ea0a603adc21a5c5995a09b64882e3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
79f4befe8fe8c407393459967515d4a4
SHA15c6f6df3e0cfbdda8249d9121dcd6012e2ad1e90
SHA256ee9e3ad28f9d16c1fa247876c567af38efdc180043460c79b8d51022539238cc
SHA512ab5d373b52eb0e311dca3aeb2fb441e095922a6b96a1fca33a0d2ac9ab8bd3e5b2c2ecb25633425662f933934f06fdc1098efd041da0d3d32df66d47f705b601
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
79f4befe8fe8c407393459967515d4a4
SHA15c6f6df3e0cfbdda8249d9121dcd6012e2ad1e90
SHA256ee9e3ad28f9d16c1fa247876c567af38efdc180043460c79b8d51022539238cc
SHA512ab5d373b52eb0e311dca3aeb2fb441e095922a6b96a1fca33a0d2ac9ab8bd3e5b2c2ecb25633425662f933934f06fdc1098efd041da0d3d32df66d47f705b601
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
79f4befe8fe8c407393459967515d4a4
SHA15c6f6df3e0cfbdda8249d9121dcd6012e2ad1e90
SHA256ee9e3ad28f9d16c1fa247876c567af38efdc180043460c79b8d51022539238cc
SHA512ab5d373b52eb0e311dca3aeb2fb441e095922a6b96a1fca33a0d2ac9ab8bd3e5b2c2ecb25633425662f933934f06fdc1098efd041da0d3d32df66d47f705b601
-
memory/1204-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB