Analysis
-
max time kernel
124s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe
Resource
win10v2004-en-20220113
General
-
Target
053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe
-
Size
35KB
-
MD5
8235305818cd665746af15a165301293
-
SHA1
53d8b57276afbf9d8857d168d564733804af1153
-
SHA256
053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436
-
SHA512
d60f1dd98033a756fb2f950b84e028154060b6834c47713b8c0ce605f081d51848c258d81321e8185fa3cfb6f0bc609afddb2a4a1eac74cc59d92d69509510cc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1748 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exepid process 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exedescription pid process Token: SeIncBasePriorityPrivilege 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.execmd.exedescription pid process target process PID 1384 wrote to memory of 1748 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe MediaCenter.exe PID 1384 wrote to memory of 1748 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe MediaCenter.exe PID 1384 wrote to memory of 1748 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe MediaCenter.exe PID 1384 wrote to memory of 1748 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe MediaCenter.exe PID 1384 wrote to memory of 744 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe cmd.exe PID 1384 wrote to memory of 744 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe cmd.exe PID 1384 wrote to memory of 744 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe cmd.exe PID 1384 wrote to memory of 744 1384 053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe cmd.exe PID 744 wrote to memory of 1056 744 cmd.exe PING.EXE PID 744 wrote to memory of 1056 744 cmd.exe PING.EXE PID 744 wrote to memory of 1056 744 cmd.exe PING.EXE PID 744 wrote to memory of 1056 744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe"C:\Users\Admin\AppData\Local\Temp\053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\053e1f5989a75ba2b5983adf6041cdca70899ded4aab1f61c8dd19e413c20436.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
439b7538464e64a82b97299c2eb58062
SHA18957d5a493d77193860fa2a2a737411625c017e1
SHA256aaad4011b01696eb3f28dfc035a9ff814025d7b449e85ccb60ca28e3c158e5bd
SHA512bad8bf11e2a851e6ffcbd528897bb68b0ff99f2b063909f452db4fef0809cb94ae73e96569144ab53be47311e2dc3d639b3cf406a524ba272e60ae9a547d6e23
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
439b7538464e64a82b97299c2eb58062
SHA18957d5a493d77193860fa2a2a737411625c017e1
SHA256aaad4011b01696eb3f28dfc035a9ff814025d7b449e85ccb60ca28e3c158e5bd
SHA512bad8bf11e2a851e6ffcbd528897bb68b0ff99f2b063909f452db4fef0809cb94ae73e96569144ab53be47311e2dc3d639b3cf406a524ba272e60ae9a547d6e23
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
439b7538464e64a82b97299c2eb58062
SHA18957d5a493d77193860fa2a2a737411625c017e1
SHA256aaad4011b01696eb3f28dfc035a9ff814025d7b449e85ccb60ca28e3c158e5bd
SHA512bad8bf11e2a851e6ffcbd528897bb68b0ff99f2b063909f452db4fef0809cb94ae73e96569144ab53be47311e2dc3d639b3cf406a524ba272e60ae9a547d6e23
-
memory/1384-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB