Analysis
-
max time kernel
144s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:45
Static task
static1
Behavioral task
behavioral1
Sample
091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe
Resource
win10v2004-en-20220113
General
-
Target
091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe
-
Size
36KB
-
MD5
0eaf55875b53b204e67aa58090b4f5bc
-
SHA1
d759232ea9df0e797352a3191813ca94a1898dda
-
SHA256
091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4
-
SHA512
be8614107185c8ad01af74cda6a84f88407a6a69acef2065104737c76dab5ae056f148ced4c90e22f02df5c2c07753c68c972cbc4f77dcfefcd847a0bcf888bd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1216 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exepid process 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.execmd.exedescription pid process target process PID 1664 wrote to memory of 1612 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe MediaCenter.exe PID 1664 wrote to memory of 1612 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe MediaCenter.exe PID 1664 wrote to memory of 1612 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe MediaCenter.exe PID 1664 wrote to memory of 1612 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe MediaCenter.exe PID 1664 wrote to memory of 1216 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe cmd.exe PID 1664 wrote to memory of 1216 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe cmd.exe PID 1664 wrote to memory of 1216 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe cmd.exe PID 1664 wrote to memory of 1216 1664 091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe cmd.exe PID 1216 wrote to memory of 1092 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1092 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1092 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1092 1216 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe"C:\Users\Admin\AppData\Local\Temp\091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\091e2e5dd2f1c1ec72309a6b1436622c8ef0c1034d96332386d08e19aac6dcb4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
093e8e7b0e1acc435c82601d50f3e2c8
SHA1b6f7f8bcf71d931f791ba6f92c707c8629d02184
SHA25690c9b43e2ed76c9695fd640e231bfdaa77b10dffbfb94ab1789bfc697121d38d
SHA512cb6d75059cecc581657b819870339007b07838a368c331a68f81b956e8b0bf0358168af34329c40bc407239b9a4f7b10020835e748e0a35e5efe1a3cf30d2d68
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
093e8e7b0e1acc435c82601d50f3e2c8
SHA1b6f7f8bcf71d931f791ba6f92c707c8629d02184
SHA25690c9b43e2ed76c9695fd640e231bfdaa77b10dffbfb94ab1789bfc697121d38d
SHA512cb6d75059cecc581657b819870339007b07838a368c331a68f81b956e8b0bf0358168af34329c40bc407239b9a4f7b10020835e748e0a35e5efe1a3cf30d2d68
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
093e8e7b0e1acc435c82601d50f3e2c8
SHA1b6f7f8bcf71d931f791ba6f92c707c8629d02184
SHA25690c9b43e2ed76c9695fd640e231bfdaa77b10dffbfb94ab1789bfc697121d38d
SHA512cb6d75059cecc581657b819870339007b07838a368c331a68f81b956e8b0bf0358168af34329c40bc407239b9a4f7b10020835e748e0a35e5efe1a3cf30d2d68
-
memory/1664-55-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB