Analysis
-
max time kernel
123s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe
Resource
win10v2004-en-20220112
General
-
Target
090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe
-
Size
36KB
-
MD5
d267b74f271cc7ceb26ac53a40d78f48
-
SHA1
8b42862716c3e1ebf10f493aeb539f072f51c008
-
SHA256
090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93
-
SHA512
53bc41a110d9e578cb9a7599a13a87124f806efcb5fb964b14e8035876a815f1d543bd10411001be3e476da1cff78515339283328184847a9dd42eccf66a76e1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exepid process 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exedescription pid process Token: SeIncBasePriorityPrivilege 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.execmd.exedescription pid process target process PID 536 wrote to memory of 1608 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe MediaCenter.exe PID 536 wrote to memory of 1608 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe MediaCenter.exe PID 536 wrote to memory of 1608 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe MediaCenter.exe PID 536 wrote to memory of 1608 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe MediaCenter.exe PID 536 wrote to memory of 428 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe cmd.exe PID 536 wrote to memory of 428 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe cmd.exe PID 536 wrote to memory of 428 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe cmd.exe PID 536 wrote to memory of 428 536 090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe cmd.exe PID 428 wrote to memory of 1600 428 cmd.exe PING.EXE PID 428 wrote to memory of 1600 428 cmd.exe PING.EXE PID 428 wrote to memory of 1600 428 cmd.exe PING.EXE PID 428 wrote to memory of 1600 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe"C:\Users\Admin\AppData\Local\Temp\090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\090b87da1706238bf8bbe803c5e5e7ce9e69fccd338d72dce7ee5a563ae78e93.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6de07468a22e9e076f928847cb923ff3
SHA151d4c4051325f4c9920873bec75b6cb97a915a15
SHA2567ed6159c17446b921b31980f8ad04a9228f1180dc57f875196665b284ec66932
SHA512a96fe6098c2885a1efc091e636295190fba315151e5eb849d1670a669f4bc6df3151d7edd489e282b9532afcb8c933b6766dab1825f6d560567bd200775c24d4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6de07468a22e9e076f928847cb923ff3
SHA151d4c4051325f4c9920873bec75b6cb97a915a15
SHA2567ed6159c17446b921b31980f8ad04a9228f1180dc57f875196665b284ec66932
SHA512a96fe6098c2885a1efc091e636295190fba315151e5eb849d1670a669f4bc6df3151d7edd489e282b9532afcb8c933b6766dab1825f6d560567bd200775c24d4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6de07468a22e9e076f928847cb923ff3
SHA151d4c4051325f4c9920873bec75b6cb97a915a15
SHA2567ed6159c17446b921b31980f8ad04a9228f1180dc57f875196665b284ec66932
SHA512a96fe6098c2885a1efc091e636295190fba315151e5eb849d1670a669f4bc6df3151d7edd489e282b9532afcb8c933b6766dab1825f6d560567bd200775c24d4
-
memory/536-55-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB