Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:59
Static task
static1
Behavioral task
behavioral1
Sample
08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe
Resource
win10v2004-en-20220113
General
-
Target
08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe
-
Size
36KB
-
MD5
aa78aed645dbb1ed01cfe87f73467f7d
-
SHA1
c7451defd00ac3ed8245eb04728a26f1b095270f
-
SHA256
08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b
-
SHA512
61f05be2d57a676cd28e6b1195f201420b53cafcd8f1197e93a491691f3bb21c46c57426480a4a58932a226370408bfc08ce0b788170f809026a57af9be3cf89
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exepid process 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exedescription pid process Token: SeIncBasePriorityPrivilege 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.execmd.exedescription pid process target process PID 1392 wrote to memory of 1684 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe MediaCenter.exe PID 1392 wrote to memory of 1684 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe MediaCenter.exe PID 1392 wrote to memory of 1684 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe MediaCenter.exe PID 1392 wrote to memory of 1684 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe MediaCenter.exe PID 1392 wrote to memory of 776 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe cmd.exe PID 1392 wrote to memory of 776 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe cmd.exe PID 1392 wrote to memory of 776 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe cmd.exe PID 1392 wrote to memory of 776 1392 08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe cmd.exe PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe"C:\Users\Admin\AppData\Local\Temp\08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08775cee8a5c077599248e015206a1b4a44a4fb841e1cd7e32aa46acd52b363b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2d4cfffb423b3f084c6c5a0b2dcabab2
SHA199fb5e98c61ac7b652611e0ab0470c15870961ad
SHA25666667b84d4bafd0ff4cca276017795de86b4659c0cd9cef2c5a2a9000cffb540
SHA512ad2b66f66f8957a39057f62171572c7ac1c997a0ed4cf9c41e6e9aeedeedc4073e965612d7e75ac654fe252730fb7b9d4a520cbe7a5833e80f4e4b2233d70bf4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2d4cfffb423b3f084c6c5a0b2dcabab2
SHA199fb5e98c61ac7b652611e0ab0470c15870961ad
SHA25666667b84d4bafd0ff4cca276017795de86b4659c0cd9cef2c5a2a9000cffb540
SHA512ad2b66f66f8957a39057f62171572c7ac1c997a0ed4cf9c41e6e9aeedeedc4073e965612d7e75ac654fe252730fb7b9d4a520cbe7a5833e80f4e4b2233d70bf4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2d4cfffb423b3f084c6c5a0b2dcabab2
SHA199fb5e98c61ac7b652611e0ab0470c15870961ad
SHA25666667b84d4bafd0ff4cca276017795de86b4659c0cd9cef2c5a2a9000cffb540
SHA512ad2b66f66f8957a39057f62171572c7ac1c997a0ed4cf9c41e6e9aeedeedc4073e965612d7e75ac654fe252730fb7b9d4a520cbe7a5833e80f4e4b2233d70bf4
-
memory/1392-53-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB