Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe
Resource
win10v2004-en-20220113
General
-
Target
0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe
-
Size
60KB
-
MD5
73f9ced25eddd7a52796fafcc0dd38ef
-
SHA1
93086d8fcf0bac62f14c1819dd155262bd7da35c
-
SHA256
0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8
-
SHA512
698aed0ba41ffdb83e721c77577731bf23830fcb4f82d0a01f61d76f79b3af30dd483b4d608b6e7fbe1c0ce03d3fd9fa9af781d4044e6099d1514801f3a98fce
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1624 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 956 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exepid process 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exedescription pid process Token: SeIncBasePriorityPrivilege 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.execmd.exedescription pid process target process PID 1220 wrote to memory of 1624 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe MediaCenter.exe PID 1220 wrote to memory of 1624 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe MediaCenter.exe PID 1220 wrote to memory of 1624 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe MediaCenter.exe PID 1220 wrote to memory of 1624 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe MediaCenter.exe PID 1220 wrote to memory of 956 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe cmd.exe PID 1220 wrote to memory of 956 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe cmd.exe PID 1220 wrote to memory of 956 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe cmd.exe PID 1220 wrote to memory of 956 1220 0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe cmd.exe PID 956 wrote to memory of 1212 956 cmd.exe PING.EXE PID 956 wrote to memory of 1212 956 cmd.exe PING.EXE PID 956 wrote to memory of 1212 956 cmd.exe PING.EXE PID 956 wrote to memory of 1212 956 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe"C:\Users\Admin\AppData\Local\Temp\0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0913361b7e03729052ef3d95d1f17d695fa439559b7bd7333dbf7af9e7f548d8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d440c651297468cd26cbccc15790d9b6
SHA1363ddcd532e2c8a0fc16de6a0aab0049a105c026
SHA2566174a293773e0edcb11711d8460a7bd63eba5639bbd24c0b90278f1071ff928f
SHA512666db67bebd578db9397de00f5b206c555bd8a753100fe25f98bd3e85d02982f6808fcee630983ecf810364bc7316ebf77e3ee48a1acb252014f4cd618c26d69
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d440c651297468cd26cbccc15790d9b6
SHA1363ddcd532e2c8a0fc16de6a0aab0049a105c026
SHA2566174a293773e0edcb11711d8460a7bd63eba5639bbd24c0b90278f1071ff928f
SHA512666db67bebd578db9397de00f5b206c555bd8a753100fe25f98bd3e85d02982f6808fcee630983ecf810364bc7316ebf77e3ee48a1acb252014f4cd618c26d69
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d440c651297468cd26cbccc15790d9b6
SHA1363ddcd532e2c8a0fc16de6a0aab0049a105c026
SHA2566174a293773e0edcb11711d8460a7bd63eba5639bbd24c0b90278f1071ff928f
SHA512666db67bebd578db9397de00f5b206c555bd8a753100fe25f98bd3e85d02982f6808fcee630983ecf810364bc7316ebf77e3ee48a1acb252014f4cd618c26d69
-
memory/1220-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB