Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:16
Static task
static1
Behavioral task
behavioral1
Sample
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
Resource
win10v2004-en-20220113
General
-
Target
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
-
Size
35KB
-
MD5
3ea00914d2d50cb71f29a8e26c35fde9
-
SHA1
dc907c7aedab6ee77b1f307d244ad8f293801dbb
-
SHA256
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d
-
SHA512
7aee8083eb230e3fe10e81eca95601b55f9722dea6d379d30c9c93b445aa3dbb2e1677b0e939ee0fa66bde485d5006d6d1187867d0c96377d1702da477f1c97e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1508 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exepid process 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exedescription pid process Token: SeIncBasePriorityPrivilege 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.execmd.exedescription pid process target process PID 1756 wrote to memory of 1576 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe MediaCenter.exe PID 1756 wrote to memory of 1576 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe MediaCenter.exe PID 1756 wrote to memory of 1576 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe MediaCenter.exe PID 1756 wrote to memory of 1576 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe MediaCenter.exe PID 1756 wrote to memory of 1508 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe cmd.exe PID 1756 wrote to memory of 1508 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe cmd.exe PID 1756 wrote to memory of 1508 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe cmd.exe PID 1756 wrote to memory of 1508 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe cmd.exe PID 1508 wrote to memory of 608 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 608 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 608 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 608 1508 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe"C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0df21c1c4cc3c4e454e435225c98eaad
SHA139ca49199632c2cabebda15c3a404dfc3ad7f4a0
SHA256bff4028a7e2db85e916496b49a5a8b2b0a737b370e26d8027975eb14f8143012
SHA5122811b3739f35f7895020e0e5e8edcc6a3747a219419158a9fad0ea3176ed559bb94483115b9703e284fc1eed9784743d787c22dda3585e9075a5ddbbcd5116f2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0df21c1c4cc3c4e454e435225c98eaad
SHA139ca49199632c2cabebda15c3a404dfc3ad7f4a0
SHA256bff4028a7e2db85e916496b49a5a8b2b0a737b370e26d8027975eb14f8143012
SHA5122811b3739f35f7895020e0e5e8edcc6a3747a219419158a9fad0ea3176ed559bb94483115b9703e284fc1eed9784743d787c22dda3585e9075a5ddbbcd5116f2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0df21c1c4cc3c4e454e435225c98eaad
SHA139ca49199632c2cabebda15c3a404dfc3ad7f4a0
SHA256bff4028a7e2db85e916496b49a5a8b2b0a737b370e26d8027975eb14f8143012
SHA5122811b3739f35f7895020e0e5e8edcc6a3747a219419158a9fad0ea3176ed559bb94483115b9703e284fc1eed9784743d787c22dda3585e9075a5ddbbcd5116f2
-
memory/1756-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB