Analysis
-
max time kernel
124s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe
Resource
win10v2004-en-20220112
General
-
Target
090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe
-
Size
60KB
-
MD5
4859a3f92749b1a723955964816838fc
-
SHA1
7da946d41d3f6d5386555e1fea8cbf9f604f0b7f
-
SHA256
090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa
-
SHA512
39ec132a54aec5d3c474a45471a7adb26afa067c2faa6b772b3f4c5680bc5dfa2fb706bbfcd58b5117cd81351703994125257b7c626bd07c27f72ee5a18803f3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1404 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exepid process 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exedescription pid process Token: SeIncBasePriorityPrivilege 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.execmd.exedescription pid process target process PID 1900 wrote to memory of 1224 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe MediaCenter.exe PID 1900 wrote to memory of 1224 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe MediaCenter.exe PID 1900 wrote to memory of 1224 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe MediaCenter.exe PID 1900 wrote to memory of 1224 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe MediaCenter.exe PID 1900 wrote to memory of 1404 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe cmd.exe PID 1900 wrote to memory of 1404 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe cmd.exe PID 1900 wrote to memory of 1404 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe cmd.exe PID 1900 wrote to memory of 1404 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe cmd.exe PID 1404 wrote to memory of 608 1404 cmd.exe PING.EXE PID 1404 wrote to memory of 608 1404 cmd.exe PING.EXE PID 1404 wrote to memory of 608 1404 cmd.exe PING.EXE PID 1404 wrote to memory of 608 1404 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe"C:\Users\Admin\AppData\Local\Temp\090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f2e8ab3eb0279895ac08921819a14e46
SHA1a874c7ef9efe95f68612d68af3dc65786a1543ae
SHA25691b9ab50d5267e93cd23a7f6b683c37245b5da7d410372e853618d004aec946d
SHA512b9fc5b3d47d1380761f7377181cec92e1ad924f181f49e87664df5b4ac5fa1575f03954fd7cbac575b222d00db5a5a0f8400458ff3f389cdc7e8f12d5de50d95
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f2e8ab3eb0279895ac08921819a14e46
SHA1a874c7ef9efe95f68612d68af3dc65786a1543ae
SHA25691b9ab50d5267e93cd23a7f6b683c37245b5da7d410372e853618d004aec946d
SHA512b9fc5b3d47d1380761f7377181cec92e1ad924f181f49e87664df5b4ac5fa1575f03954fd7cbac575b222d00db5a5a0f8400458ff3f389cdc7e8f12d5de50d95
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f2e8ab3eb0279895ac08921819a14e46
SHA1a874c7ef9efe95f68612d68af3dc65786a1543ae
SHA25691b9ab50d5267e93cd23a7f6b683c37245b5da7d410372e853618d004aec946d
SHA512b9fc5b3d47d1380761f7377181cec92e1ad924f181f49e87664df5b4ac5fa1575f03954fd7cbac575b222d00db5a5a0f8400458ff3f389cdc7e8f12d5de50d95
-
memory/1900-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB