Analysis
-
max time kernel
122s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe
Resource
win10v2004-en-20220112
General
-
Target
092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe
-
Size
36KB
-
MD5
b31c7d8eeaea05cf2843e8bcd4cf5e9f
-
SHA1
04ca885eee712a1cefc7fae24a6e327f20a1a410
-
SHA256
092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3
-
SHA512
4f8f25872f7c4fd617f15090e51dc8b39362b26f3ed3d131170278f9f526eaf8972e81bf50308fe6b985f30f6c75edb46ff15afbc3244496c7688c825eae4728
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exepid process 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.execmd.exedescription pid process target process PID 1204 wrote to memory of 1600 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe MediaCenter.exe PID 1204 wrote to memory of 1528 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe cmd.exe PID 1204 wrote to memory of 1528 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe cmd.exe PID 1204 wrote to memory of 1528 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe cmd.exe PID 1204 wrote to memory of 1528 1204 092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe cmd.exe PID 1528 wrote to memory of 844 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 844 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 844 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 844 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe"C:\Users\Admin\AppData\Local\Temp\092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\092deb110cc9b450e02114f32d503dc1bb4bc786882501e83244dde8e83140a3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
00af93ba6a294b6f6bbe7a34a33eff45
SHA17ee046b7b15bcc7ac18b45db53a927e1e7187b19
SHA2560f3e614128a4f77bfe5dfd9419c55f23c0bfe6dbcfaa1a4a28f5bd5fd57159b4
SHA51261b5b696cb897e2873da360c7fabecec10ea1ec346073b411c2f73146f7d6e7afeb4daebaa2c2c7de5c1aebfccf659cd5753d7e5e0351f2afb57c0a54d5be480
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
00af93ba6a294b6f6bbe7a34a33eff45
SHA17ee046b7b15bcc7ac18b45db53a927e1e7187b19
SHA2560f3e614128a4f77bfe5dfd9419c55f23c0bfe6dbcfaa1a4a28f5bd5fd57159b4
SHA51261b5b696cb897e2873da360c7fabecec10ea1ec346073b411c2f73146f7d6e7afeb4daebaa2c2c7de5c1aebfccf659cd5753d7e5e0351f2afb57c0a54d5be480
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
00af93ba6a294b6f6bbe7a34a33eff45
SHA17ee046b7b15bcc7ac18b45db53a927e1e7187b19
SHA2560f3e614128a4f77bfe5dfd9419c55f23c0bfe6dbcfaa1a4a28f5bd5fd57159b4
SHA51261b5b696cb897e2873da360c7fabecec10ea1ec346073b411c2f73146f7d6e7afeb4daebaa2c2c7de5c1aebfccf659cd5753d7e5e0351f2afb57c0a54d5be480
-
memory/1204-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB