Analysis
-
max time kernel
135s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:05
Static task
static1
Behavioral task
behavioral1
Sample
055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe
Resource
win10v2004-en-20220113
General
-
Target
055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe
-
Size
60KB
-
MD5
fd10dfbf5775359592c17766ff1cadcc
-
SHA1
793d0d539b9f475787f4435cba2bb0e498e44233
-
SHA256
055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4
-
SHA512
9aebff60714dd835453fdf352aa1bf8b89b31790113b43ba0e6acceb38f85546b088d63ef067439bdd71ac811c86b5170e7a0dc216d74781a5bcd76f0216bf51
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 984 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exepid process 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exedescription pid process Token: SeIncBasePriorityPrivilege 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.execmd.exedescription pid process target process PID 1904 wrote to memory of 2032 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe MediaCenter.exe PID 1904 wrote to memory of 2032 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe MediaCenter.exe PID 1904 wrote to memory of 2032 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe MediaCenter.exe PID 1904 wrote to memory of 2032 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe MediaCenter.exe PID 1904 wrote to memory of 984 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe cmd.exe PID 1904 wrote to memory of 984 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe cmd.exe PID 1904 wrote to memory of 984 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe cmd.exe PID 1904 wrote to memory of 984 1904 055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe cmd.exe PID 984 wrote to memory of 796 984 cmd.exe PING.EXE PID 984 wrote to memory of 796 984 cmd.exe PING.EXE PID 984 wrote to memory of 796 984 cmd.exe PING.EXE PID 984 wrote to memory of 796 984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe"C:\Users\Admin\AppData\Local\Temp\055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\055aea853fcf4ef4afc81e12d3dfa2964a7bc86e27ebbea8d1eb56d84b5e93c4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a88e2381cacf36bf3f09dcfda62417f4
SHA1de4f1d7de02b5e60ad2795ed7771504b16b646e1
SHA25632ea3117be577b0175b08e2522c6097fa68b805382239d660b870a8bc449ebea
SHA512dfab87cbb4c44ddf53071835606c7c46021a268927a62ff65f1e47133dded851fa574f4ed580ffceafcdc03f8265f38528be5e020dfd635438219b197f78d32d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a88e2381cacf36bf3f09dcfda62417f4
SHA1de4f1d7de02b5e60ad2795ed7771504b16b646e1
SHA25632ea3117be577b0175b08e2522c6097fa68b805382239d660b870a8bc449ebea
SHA512dfab87cbb4c44ddf53071835606c7c46021a268927a62ff65f1e47133dded851fa574f4ed580ffceafcdc03f8265f38528be5e020dfd635438219b197f78d32d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a88e2381cacf36bf3f09dcfda62417f4
SHA1de4f1d7de02b5e60ad2795ed7771504b16b646e1
SHA25632ea3117be577b0175b08e2522c6097fa68b805382239d660b870a8bc449ebea
SHA512dfab87cbb4c44ddf53071835606c7c46021a268927a62ff65f1e47133dded851fa574f4ed580ffceafcdc03f8265f38528be5e020dfd635438219b197f78d32d
-
memory/1904-55-0x0000000076731000-0x0000000076733000-memory.dmpFilesize
8KB