Analysis
-
max time kernel
127s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:55
Static task
static1
Behavioral task
behavioral1
Sample
05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe
Resource
win10v2004-en-20220112
General
-
Target
05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe
-
Size
36KB
-
MD5
aec2bd3bdadc071d4a1140f6ceca8861
-
SHA1
a2e775b50754e1b93855910740fb039a102d3eac
-
SHA256
05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012
-
SHA512
91350a8f308062c7d408b17b0254a8a19316674d67311a6004a01a574d1800a6214972d1951da18eac83c2509bb7a4c4edacb12fa76a780db27f7402b1409549
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1640 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 420 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exepid process 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.execmd.exedescription pid process target process PID 1628 wrote to memory of 1640 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe MediaCenter.exe PID 1628 wrote to memory of 1640 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe MediaCenter.exe PID 1628 wrote to memory of 1640 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe MediaCenter.exe PID 1628 wrote to memory of 1640 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe MediaCenter.exe PID 1628 wrote to memory of 420 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe cmd.exe PID 1628 wrote to memory of 420 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe cmd.exe PID 1628 wrote to memory of 420 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe cmd.exe PID 1628 wrote to memory of 420 1628 05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe cmd.exe PID 420 wrote to memory of 1656 420 cmd.exe PING.EXE PID 420 wrote to memory of 1656 420 cmd.exe PING.EXE PID 420 wrote to memory of 1656 420 cmd.exe PING.EXE PID 420 wrote to memory of 1656 420 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe"C:\Users\Admin\AppData\Local\Temp\05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05c06fa12ba26e0c8c370fc235ca45d7eaca4f4a81976501b719411eaa8e2012.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
24559f2b68b5787a12fb70ba4fa3a59e
SHA15447d6bc129a12b318747b6f84326e050c212416
SHA25633887eef6305846de78dc4327915c3690c1ec498a8e8b7305afb5d2f83bbc372
SHA51220a1d4af06021b4d8508f37740ac2faaab93eb250743a7870e28dd8ad4c83a481a1ff760682d5e03fba9a647353c8671a95cabc110df05209c232e2b4b8f09a5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
24559f2b68b5787a12fb70ba4fa3a59e
SHA15447d6bc129a12b318747b6f84326e050c212416
SHA25633887eef6305846de78dc4327915c3690c1ec498a8e8b7305afb5d2f83bbc372
SHA51220a1d4af06021b4d8508f37740ac2faaab93eb250743a7870e28dd8ad4c83a481a1ff760682d5e03fba9a647353c8671a95cabc110df05209c232e2b4b8f09a5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
24559f2b68b5787a12fb70ba4fa3a59e
SHA15447d6bc129a12b318747b6f84326e050c212416
SHA25633887eef6305846de78dc4327915c3690c1ec498a8e8b7305afb5d2f83bbc372
SHA51220a1d4af06021b4d8508f37740ac2faaab93eb250743a7870e28dd8ad4c83a481a1ff760682d5e03fba9a647353c8671a95cabc110df05209c232e2b4b8f09a5
-
memory/1628-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB