Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:17
Static task
static1
Behavioral task
behavioral1
Sample
07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe
Resource
win10v2004-en-20220113
General
-
Target
07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe
-
Size
58KB
-
MD5
b4128c9e0d656c4ba1ca8449d18e14ac
-
SHA1
edf1144d5dc9d478fe883e569576ff5e97346db8
-
SHA256
07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6
-
SHA512
7a49fd6da06a63ba81f36675f33489d0c75102caec85d94e782a0227433b1aa75247861e28c22090c7061ad07fd440a74779ffbe45dd32fa30b45b55b9a58ea4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 728 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exepid process 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exedescription pid process Token: SeIncBasePriorityPrivilege 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.execmd.exedescription pid process target process PID 812 wrote to memory of 948 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe MediaCenter.exe PID 812 wrote to memory of 948 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe MediaCenter.exe PID 812 wrote to memory of 948 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe MediaCenter.exe PID 812 wrote to memory of 948 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe MediaCenter.exe PID 812 wrote to memory of 728 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe cmd.exe PID 812 wrote to memory of 728 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe cmd.exe PID 812 wrote to memory of 728 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe cmd.exe PID 812 wrote to memory of 728 812 07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe cmd.exe PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe"C:\Users\Admin\AppData\Local\Temp\07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07aa92742a111981377f856cf94b732a074e9297f4ecc9e6d3dd7b3438d4bfd6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c1fbc0ddd3522493323402be15348552
SHA1b3415de79d24f799b54cc427ed94e021f4f2aa67
SHA25684c6eeb5b7ec5b1b8c778c3e40e0d3a86b5b0accc2add15bbae7f356abfb44dd
SHA512432c781fb62c47ecbc18eed52935ec499c99b18ae44055813f4779e02179123324ba6bdaf3637e79758029cc7a382ea8037429c0d2998b5e3b21956dbc889ffa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c1fbc0ddd3522493323402be15348552
SHA1b3415de79d24f799b54cc427ed94e021f4f2aa67
SHA25684c6eeb5b7ec5b1b8c778c3e40e0d3a86b5b0accc2add15bbae7f356abfb44dd
SHA512432c781fb62c47ecbc18eed52935ec499c99b18ae44055813f4779e02179123324ba6bdaf3637e79758029cc7a382ea8037429c0d2998b5e3b21956dbc889ffa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c1fbc0ddd3522493323402be15348552
SHA1b3415de79d24f799b54cc427ed94e021f4f2aa67
SHA25684c6eeb5b7ec5b1b8c778c3e40e0d3a86b5b0accc2add15bbae7f356abfb44dd
SHA512432c781fb62c47ecbc18eed52935ec499c99b18ae44055813f4779e02179123324ba6bdaf3637e79758029cc7a382ea8037429c0d2998b5e3b21956dbc889ffa
-
memory/812-54-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB