Analysis
-
max time kernel
121s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:58
Static task
static1
Behavioral task
behavioral1
Sample
05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe
Resource
win10v2004-en-20220112
General
-
Target
05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe
-
Size
60KB
-
MD5
870c4f35c986c08f830e5029fdece14a
-
SHA1
7247575b3805884950b3650342e61e1783795055
-
SHA256
05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d
-
SHA512
487b811e5e967f01636e5954f5439c16a10d764a254a5199fe133bff666d30cfad7ca423bcc4cf067f83ca87a1f230fe5dbc96deaa2e7f8627b1d18a4f401949
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 276 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exepid process 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.execmd.exedescription pid process target process PID 1204 wrote to memory of 1720 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe MediaCenter.exe PID 1204 wrote to memory of 276 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe cmd.exe PID 1204 wrote to memory of 276 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe cmd.exe PID 1204 wrote to memory of 276 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe cmd.exe PID 1204 wrote to memory of 276 1204 05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe cmd.exe PID 276 wrote to memory of 296 276 cmd.exe PING.EXE PID 276 wrote to memory of 296 276 cmd.exe PING.EXE PID 276 wrote to memory of 296 276 cmd.exe PING.EXE PID 276 wrote to memory of 296 276 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe"C:\Users\Admin\AppData\Local\Temp\05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05a1e9a55cf6a536b4a21cf5384cecd2ef03fbd45beb0a860d666d9b15b5be3d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
61dbb96613839ea6c80601b698648b28
SHA189d118307cc6d55d14806afa77e57ba03c4f7c02
SHA2566ab0ffea40e770d8f4c42557973c8240090b87dbf3252d30cfc055ba4277f221
SHA512c83a22d6418d4e4c488ab13b865c5d7ba7424b1c3f9ea657dd318dcd2eb75273f7a3bce6512528665cf001d64c583dbda248a3061af40a415598f7b47c2022bf
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
61dbb96613839ea6c80601b698648b28
SHA189d118307cc6d55d14806afa77e57ba03c4f7c02
SHA2566ab0ffea40e770d8f4c42557973c8240090b87dbf3252d30cfc055ba4277f221
SHA512c83a22d6418d4e4c488ab13b865c5d7ba7424b1c3f9ea657dd318dcd2eb75273f7a3bce6512528665cf001d64c583dbda248a3061af40a415598f7b47c2022bf
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
61dbb96613839ea6c80601b698648b28
SHA189d118307cc6d55d14806afa77e57ba03c4f7c02
SHA2566ab0ffea40e770d8f4c42557973c8240090b87dbf3252d30cfc055ba4277f221
SHA512c83a22d6418d4e4c488ab13b865c5d7ba7424b1c3f9ea657dd318dcd2eb75273f7a3bce6512528665cf001d64c583dbda248a3061af40a415598f7b47c2022bf
-
memory/1204-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB