Analysis
-
max time kernel
137s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:52
Static task
static1
Behavioral task
behavioral1
Sample
08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe
Resource
win10v2004-en-20220113
General
-
Target
08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe
-
Size
60KB
-
MD5
53edab421f527a0a75698595f5d9c80e
-
SHA1
d10d5eb9e4ce175a56749d29a02151a7b3b015e9
-
SHA256
08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6
-
SHA512
448af45937f81f388604a22d63b4084af1f87f380ad631c869f02c57fd30908466c5b8b9ff6ccdd12cd8c3e277ed13cc3d82545009d4d868aa918de0e84e8cbc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exepid process 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exedescription pid process Token: SeIncBasePriorityPrivilege 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.execmd.exedescription pid process target process PID 1712 wrote to memory of 1892 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe MediaCenter.exe PID 1712 wrote to memory of 1836 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe cmd.exe PID 1712 wrote to memory of 1836 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe cmd.exe PID 1712 wrote to memory of 1836 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe cmd.exe PID 1712 wrote to memory of 1836 1712 08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe cmd.exe PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe"C:\Users\Admin\AppData\Local\Temp\08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08c87bef8ed56d6afa5952e797acca3290e8a86efa70eafa21e017a28b07a3d6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13c14ce44d2f0ec98ad63448e19cd310
SHA15268cac720f697fc447f2cfbb25568aa1584c348
SHA25665a4e321fe0e5648ba8afabc10dbca82816523f6a4559d0cf7b2639e86a6364e
SHA51221b5854f0ebcefa433c8372496607ae5d473e43442cf4eed6281a81e08d0608c556daea38b07b124b578afaaae0a2d91133ce84bb343c11cb5f81f4a68944d99
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13c14ce44d2f0ec98ad63448e19cd310
SHA15268cac720f697fc447f2cfbb25568aa1584c348
SHA25665a4e321fe0e5648ba8afabc10dbca82816523f6a4559d0cf7b2639e86a6364e
SHA51221b5854f0ebcefa433c8372496607ae5d473e43442cf4eed6281a81e08d0608c556daea38b07b124b578afaaae0a2d91133ce84bb343c11cb5f81f4a68944d99
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13c14ce44d2f0ec98ad63448e19cd310
SHA15268cac720f697fc447f2cfbb25568aa1584c348
SHA25665a4e321fe0e5648ba8afabc10dbca82816523f6a4559d0cf7b2639e86a6364e
SHA51221b5854f0ebcefa433c8372496607ae5d473e43442cf4eed6281a81e08d0608c556daea38b07b124b578afaaae0a2d91133ce84bb343c11cb5f81f4a68944d99
-
memory/1712-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB