Analysis
-
max time kernel
163s -
max time network
182s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:55
Static task
static1
Behavioral task
behavioral1
Sample
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe
Resource
win10v2004-en-20220113
General
-
Target
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe
-
Size
60KB
-
MD5
62ec3ce06826523e5bf87ac579fba81b
-
SHA1
f9544c12764dce9dd6ac8f0ad8668739e45fddb9
-
SHA256
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff
-
SHA512
e866376c8efb92e62ae2ad8569f978eefbdb853c12d6b58328e904bfbe0bad412ceef432d1500d642ee0faf2f6a97de87d49b3f8e8055c50fa5870e60fd6f66f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 544 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exepid process 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.execmd.exedescription pid process target process PID 1664 wrote to memory of 544 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe MediaCenter.exe PID 1664 wrote to memory of 544 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe MediaCenter.exe PID 1664 wrote to memory of 544 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe MediaCenter.exe PID 1664 wrote to memory of 544 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe MediaCenter.exe PID 1664 wrote to memory of 1072 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe cmd.exe PID 1664 wrote to memory of 1072 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe cmd.exe PID 1664 wrote to memory of 1072 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe cmd.exe PID 1664 wrote to memory of 1072 1664 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe cmd.exe PID 1072 wrote to memory of 1968 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1968 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1968 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1968 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe"C:\Users\Admin\AppData\Local\Temp\05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
07628a837736331a26bd641631e6d4c4
SHA1e32d1eb7b5ab57f93af99012a6df7375b9e74cc6
SHA25686c60d3f35312f2ec6764618022bb0cfdd409f8d9d7a95e7356600f1fed69597
SHA512af7ab87e9a311e9e0d2047870aaa545439dc62f0e1704f0c33b71b3860165c5b4c54f40d4f19b9f7c450347402b57aac646567af9f6ff7bb44bccd94af494823
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
07628a837736331a26bd641631e6d4c4
SHA1e32d1eb7b5ab57f93af99012a6df7375b9e74cc6
SHA25686c60d3f35312f2ec6764618022bb0cfdd409f8d9d7a95e7356600f1fed69597
SHA512af7ab87e9a311e9e0d2047870aaa545439dc62f0e1704f0c33b71b3860165c5b4c54f40d4f19b9f7c450347402b57aac646567af9f6ff7bb44bccd94af494823
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
07628a837736331a26bd641631e6d4c4
SHA1e32d1eb7b5ab57f93af99012a6df7375b9e74cc6
SHA25686c60d3f35312f2ec6764618022bb0cfdd409f8d9d7a95e7356600f1fed69597
SHA512af7ab87e9a311e9e0d2047870aaa545439dc62f0e1704f0c33b71b3860165c5b4c54f40d4f19b9f7c450347402b57aac646567af9f6ff7bb44bccd94af494823
-
memory/1664-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB