Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:57
Static task
static1
Behavioral task
behavioral1
Sample
05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe
Resource
win10v2004-en-20220112
General
-
Target
05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe
-
Size
60KB
-
MD5
e6303b6b0a1eeea73b6d1f81995123b3
-
SHA1
60014e56013b00f1e6bd7cf486e34a1a46f8ba73
-
SHA256
05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d
-
SHA512
24a097c88968f1aa2847dc2bd41f95f17018aca4e2b2f6850ad6199ee9074fb85db048a881789569c552ec496b6367f70a8be5641f1a5cada769ae6d61bd3a2d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 284 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exepid process 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exedescription pid process Token: SeIncBasePriorityPrivilege 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.execmd.exedescription pid process target process PID 1580 wrote to memory of 1620 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe MediaCenter.exe PID 1580 wrote to memory of 284 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe cmd.exe PID 1580 wrote to memory of 284 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe cmd.exe PID 1580 wrote to memory of 284 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe cmd.exe PID 1580 wrote to memory of 284 1580 05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe cmd.exe PID 284 wrote to memory of 768 284 cmd.exe PING.EXE PID 284 wrote to memory of 768 284 cmd.exe PING.EXE PID 284 wrote to memory of 768 284 cmd.exe PING.EXE PID 284 wrote to memory of 768 284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe"C:\Users\Admin\AppData\Local\Temp\05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05adf712a9c938377cce214ede0b13d627f656d0a929b2734528d4254cd30e9d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
865e6b4d3b7855269a5837e644cc5e3a
SHA13d5a31fb983e3757c1e44e3d178cb1064aa3dfd2
SHA2567abd6620e937dc0a47eb038530f8795d2aad2fbc88bc8b8df2ed1e1f6d2cdcd6
SHA5127c6c9cc14c934af764132e7d552968c86b18d6d7494e8af69f485cec78d834f856589c08b0f5dd82ed6db91e345deef4de7d53182b70d16ece25bb26a62100dd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
865e6b4d3b7855269a5837e644cc5e3a
SHA13d5a31fb983e3757c1e44e3d178cb1064aa3dfd2
SHA2567abd6620e937dc0a47eb038530f8795d2aad2fbc88bc8b8df2ed1e1f6d2cdcd6
SHA5127c6c9cc14c934af764132e7d552968c86b18d6d7494e8af69f485cec78d834f856589c08b0f5dd82ed6db91e345deef4de7d53182b70d16ece25bb26a62100dd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
865e6b4d3b7855269a5837e644cc5e3a
SHA13d5a31fb983e3757c1e44e3d178cb1064aa3dfd2
SHA2567abd6620e937dc0a47eb038530f8795d2aad2fbc88bc8b8df2ed1e1f6d2cdcd6
SHA5127c6c9cc14c934af764132e7d552968c86b18d6d7494e8af69f485cec78d834f856589c08b0f5dd82ed6db91e345deef4de7d53182b70d16ece25bb26a62100dd
-
memory/1580-55-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB