Analysis
-
max time kernel
123s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe
Resource
win10v2004-en-20220112
General
-
Target
0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe
-
Size
58KB
-
MD5
2bc86c2ddec74fa677ca32e39e9e94b9
-
SHA1
854922540f9bc57a08ac3bab4d1949de798a3fd9
-
SHA256
0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951
-
SHA512
576faace738dc35c19dfc7d550043f2ac61864b7dec9c0e4ed51b477e73db158fc1502b6f84e720c1a5eb1e1d0c6c216e446797462296676b32c864c980581ea
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1100 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 816 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exepid process 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exedescription pid process Token: SeIncBasePriorityPrivilege 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.execmd.exedescription pid process target process PID 1876 wrote to memory of 1100 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe MediaCenter.exe PID 1876 wrote to memory of 1100 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe MediaCenter.exe PID 1876 wrote to memory of 1100 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe MediaCenter.exe PID 1876 wrote to memory of 1100 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe MediaCenter.exe PID 1876 wrote to memory of 816 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe cmd.exe PID 1876 wrote to memory of 816 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe cmd.exe PID 1876 wrote to memory of 816 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe cmd.exe PID 1876 wrote to memory of 816 1876 0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe cmd.exe PID 816 wrote to memory of 440 816 cmd.exe PING.EXE PID 816 wrote to memory of 440 816 cmd.exe PING.EXE PID 816 wrote to memory of 440 816 cmd.exe PING.EXE PID 816 wrote to memory of 440 816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe"C:\Users\Admin\AppData\Local\Temp\0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0928624b7d59e9d491302363bf11c52a59b1769e11d53e4f71ce2d8122ac8951.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
24c8d30546a9040d4622e07d39e56397
SHA175d4c2906078928e562d29fde7727157adfca6a0
SHA256c3c5d4cdd6681fdcbe2781fac960210d6437a6c57e81116cfe26ddf26879f2c5
SHA51269bb42123f1e7c9d733130660c14ec0b87e7654b375adc36cb53850443dc11c18643586b907426f13554fb0fd8115b01ee8587ba21fd31c021c93f31b8ab5576
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
24c8d30546a9040d4622e07d39e56397
SHA175d4c2906078928e562d29fde7727157adfca6a0
SHA256c3c5d4cdd6681fdcbe2781fac960210d6437a6c57e81116cfe26ddf26879f2c5
SHA51269bb42123f1e7c9d733130660c14ec0b87e7654b375adc36cb53850443dc11c18643586b907426f13554fb0fd8115b01ee8587ba21fd31c021c93f31b8ab5576
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
24c8d30546a9040d4622e07d39e56397
SHA175d4c2906078928e562d29fde7727157adfca6a0
SHA256c3c5d4cdd6681fdcbe2781fac960210d6437a6c57e81116cfe26ddf26879f2c5
SHA51269bb42123f1e7c9d733130660c14ec0b87e7654b375adc36cb53850443dc11c18643586b907426f13554fb0fd8115b01ee8587ba21fd31c021c93f31b8ab5576
-
memory/1876-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB