Analysis
-
max time kernel
157s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:54
Static task
static1
Behavioral task
behavioral1
Sample
08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe
Resource
win10v2004-en-20220112
General
-
Target
08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe
-
Size
60KB
-
MD5
93c5011751d5b48d9bb4596c10555a96
-
SHA1
4b9db58b326a85566b6349c9a6d549218ddaf71f
-
SHA256
08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb
-
SHA512
1e1df8e00ecdad885885562b4b17b7c5999ad5f1a271a135f0408090c0773a1b6f7336d7ece59461f5c65def920b1f08017418c06f70d9d624a3ce2178931a28
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1064 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 588 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exepid process 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exedescription pid process Token: SeIncBasePriorityPrivilege 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.execmd.exedescription pid process target process PID 1788 wrote to memory of 1064 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe MediaCenter.exe PID 1788 wrote to memory of 1064 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe MediaCenter.exe PID 1788 wrote to memory of 1064 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe MediaCenter.exe PID 1788 wrote to memory of 1064 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe MediaCenter.exe PID 1788 wrote to memory of 588 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe cmd.exe PID 1788 wrote to memory of 588 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe cmd.exe PID 1788 wrote to memory of 588 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe cmd.exe PID 1788 wrote to memory of 588 1788 08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe cmd.exe PID 588 wrote to memory of 1944 588 cmd.exe PING.EXE PID 588 wrote to memory of 1944 588 cmd.exe PING.EXE PID 588 wrote to memory of 1944 588 cmd.exe PING.EXE PID 588 wrote to memory of 1944 588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe"C:\Users\Admin\AppData\Local\Temp\08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08a67c5b9324b00b99813d59133fd931f0b695209b91ebf516e43f8e2c8fa2fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dea9459084a4f7b520f9fd6261dae4f0
SHA1bbcc5943bf5ab7402388067ff187bf68b5e6fa35
SHA25648496cbdd00af8de929d35753f63bd58fd169fe8490bb57bb0959a2118e63a68
SHA512d45d63a32aad305728ff2cbcdaaa2fb17eb97d293337cd755419f7b5a004edb2be6662b00a2f0555ccec80916549258e2442181469dc1b918d10e779ef7a4aa3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dea9459084a4f7b520f9fd6261dae4f0
SHA1bbcc5943bf5ab7402388067ff187bf68b5e6fa35
SHA25648496cbdd00af8de929d35753f63bd58fd169fe8490bb57bb0959a2118e63a68
SHA512d45d63a32aad305728ff2cbcdaaa2fb17eb97d293337cd755419f7b5a004edb2be6662b00a2f0555ccec80916549258e2442181469dc1b918d10e779ef7a4aa3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dea9459084a4f7b520f9fd6261dae4f0
SHA1bbcc5943bf5ab7402388067ff187bf68b5e6fa35
SHA25648496cbdd00af8de929d35753f63bd58fd169fe8490bb57bb0959a2118e63a68
SHA512d45d63a32aad305728ff2cbcdaaa2fb17eb97d293337cd755419f7b5a004edb2be6662b00a2f0555ccec80916549258e2442181469dc1b918d10e779ef7a4aa3
-
memory/1788-54-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB