Analysis
-
max time kernel
162s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:56
Static task
static1
Behavioral task
behavioral1
Sample
05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe
Resource
win10v2004-en-20220113
General
-
Target
05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe
-
Size
36KB
-
MD5
9ecb378d27964fc4f79ab59fb6eee057
-
SHA1
3dcfdf4b78d1d32efd221f2a143595f2eb0b0d6f
-
SHA256
05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2
-
SHA512
723f3bffc4df9805d77147c1b3513bbc8c4721b6a1705c794c73e342b0852cc17e22312327302182881d971365cf4677a44b8fc6d9fc8186f167a0b66ea5bf95
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exepid process 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exedescription pid process Token: SeIncBasePriorityPrivilege 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.execmd.exedescription pid process target process PID 1500 wrote to memory of 656 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe MediaCenter.exe PID 1500 wrote to memory of 1952 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe cmd.exe PID 1500 wrote to memory of 1952 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe cmd.exe PID 1500 wrote to memory of 1952 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe cmd.exe PID 1500 wrote to memory of 1952 1500 05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe cmd.exe PID 1952 wrote to memory of 1836 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1836 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1836 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1836 1952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe"C:\Users\Admin\AppData\Local\Temp\05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05b6b136fff575e1aa8cabf9314a7abea100e3d66d230f62b776fd9964ab3fb2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d0bbbf46be3bc41e32a2c97d5e3ea168
SHA14853cee6fb88859d56f1c89c8df91980298d27e7
SHA256643c4e329f3b0d26c5bb9d4c259b00c2572e004863cac279581eca875cfddb0b
SHA512cbdca423edbbc19cad01b8e2d060da1812c06f1dfc9fcbf781c6bf56e7642553e0e4b8df6acc400ba78fa9cd1ef0765bd85fc041394e9d0796f3cbcf20d6c9a9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d0bbbf46be3bc41e32a2c97d5e3ea168
SHA14853cee6fb88859d56f1c89c8df91980298d27e7
SHA256643c4e329f3b0d26c5bb9d4c259b00c2572e004863cac279581eca875cfddb0b
SHA512cbdca423edbbc19cad01b8e2d060da1812c06f1dfc9fcbf781c6bf56e7642553e0e4b8df6acc400ba78fa9cd1ef0765bd85fc041394e9d0796f3cbcf20d6c9a9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d0bbbf46be3bc41e32a2c97d5e3ea168
SHA14853cee6fb88859d56f1c89c8df91980298d27e7
SHA256643c4e329f3b0d26c5bb9d4c259b00c2572e004863cac279581eca875cfddb0b
SHA512cbdca423edbbc19cad01b8e2d060da1812c06f1dfc9fcbf781c6bf56e7642553e0e4b8df6acc400ba78fa9cd1ef0765bd85fc041394e9d0796f3cbcf20d6c9a9
-
memory/1500-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB