Analysis
-
max time kernel
138s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe
Resource
win10v2004-en-20220113
General
-
Target
0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe
-
Size
36KB
-
MD5
903ddad10d22c14463444bb151b54478
-
SHA1
2497cc4b561b294da4bcb01134a8f7b16f7dea20
-
SHA256
0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539
-
SHA512
e59a52f5a8d361bb5bb8fa8d0b8a31bc27794ea47fc4719dcaac42059b75f8c76e9044299b3bc917b49199eef98b74d1167ce73d69520f9b4d19bf37dd77beef
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1952 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1684 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exepid process 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exedescription pid process Token: SeIncBasePriorityPrivilege 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.execmd.exedescription pid process target process PID 1480 wrote to memory of 1952 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe MediaCenter.exe PID 1480 wrote to memory of 1952 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe MediaCenter.exe PID 1480 wrote to memory of 1952 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe MediaCenter.exe PID 1480 wrote to memory of 1952 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe MediaCenter.exe PID 1480 wrote to memory of 1684 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe cmd.exe PID 1480 wrote to memory of 1684 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe cmd.exe PID 1480 wrote to memory of 1684 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe cmd.exe PID 1480 wrote to memory of 1684 1480 0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe cmd.exe PID 1684 wrote to memory of 2008 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 2008 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 2008 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 2008 1684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe"C:\Users\Admin\AppData\Local\Temp\0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0588dd7280465763e0ece37e2a589f41689c4bbdfdfdc390234ea82af4670539.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b6aad6a54f91bb645388eb32e49afd56
SHA178df324740e57ae24f00cf82d912906a6b27e185
SHA256da82d6d40f0644140c2b80cfe391bfb9759c79b8567e36e628ec6cf0d15002a7
SHA51282179d037d7ba57ec049bb948b21fd737ac0f92ac1bec0c82706f277e94d81bd6cd42476f163ea631a3cb73365fa96c29f9d49b348c9c8343a6d062041ff8b5b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b6aad6a54f91bb645388eb32e49afd56
SHA178df324740e57ae24f00cf82d912906a6b27e185
SHA256da82d6d40f0644140c2b80cfe391bfb9759c79b8567e36e628ec6cf0d15002a7
SHA51282179d037d7ba57ec049bb948b21fd737ac0f92ac1bec0c82706f277e94d81bd6cd42476f163ea631a3cb73365fa96c29f9d49b348c9c8343a6d062041ff8b5b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b6aad6a54f91bb645388eb32e49afd56
SHA178df324740e57ae24f00cf82d912906a6b27e185
SHA256da82d6d40f0644140c2b80cfe391bfb9759c79b8567e36e628ec6cf0d15002a7
SHA51282179d037d7ba57ec049bb948b21fd737ac0f92ac1bec0c82706f277e94d81bd6cd42476f163ea631a3cb73365fa96c29f9d49b348c9c8343a6d062041ff8b5b
-
memory/1480-54-0x0000000074B21000-0x0000000074B23000-memory.dmpFilesize
8KB