Analysis
-
max time kernel
128s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe
Resource
win10v2004-en-20220112
General
-
Target
08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe
-
Size
35KB
-
MD5
bfc398516e263aec273534003a389688
-
SHA1
57cc3a492876278bf1f5cdaaf42e8c49f40286b2
-
SHA256
08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430
-
SHA512
896301ed1b18d68b74554299ab63a427764be1788e3fe12c536f5693542e8a2cbe837683bd54590de0a6511f56f4797349d20922dfbc72dc202c61af94288ccb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1536 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exepid process 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.execmd.exedescription pid process target process PID 1608 wrote to memory of 1616 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe MediaCenter.exe PID 1608 wrote to memory of 1536 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe cmd.exe PID 1608 wrote to memory of 1536 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe cmd.exe PID 1608 wrote to memory of 1536 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe cmd.exe PID 1608 wrote to memory of 1536 1608 08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe cmd.exe PID 1536 wrote to memory of 960 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 960 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 960 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 960 1536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe"C:\Users\Admin\AppData\Local\Temp\08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08e26016ec263ec6b689bb2c02e30b1421baefcba9bab32c82658c23a4ecc430.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b676cac03ca5c0ba3760b03271f894fd
SHA1f281db75ef14790899547e113f60761deafaeb1d
SHA256dcc79a62c2d0ad60e6dc71b17643189d2668b2ba282da4be6c36e82f81ba1ad6
SHA51226c36df5efab42855d78b31a6901f619c844c7802667dc7cec8f51e01e3e7b3970d78ae64f30114522bfdf143ef0d18573bf70a99146010873c22efb869b76b4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b676cac03ca5c0ba3760b03271f894fd
SHA1f281db75ef14790899547e113f60761deafaeb1d
SHA256dcc79a62c2d0ad60e6dc71b17643189d2668b2ba282da4be6c36e82f81ba1ad6
SHA51226c36df5efab42855d78b31a6901f619c844c7802667dc7cec8f51e01e3e7b3970d78ae64f30114522bfdf143ef0d18573bf70a99146010873c22efb869b76b4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b676cac03ca5c0ba3760b03271f894fd
SHA1f281db75ef14790899547e113f60761deafaeb1d
SHA256dcc79a62c2d0ad60e6dc71b17643189d2668b2ba282da4be6c36e82f81ba1ad6
SHA51226c36df5efab42855d78b31a6901f619c844c7802667dc7cec8f51e01e3e7b3970d78ae64f30114522bfdf143ef0d18573bf70a99146010873c22efb869b76b4
-
memory/1608-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB