Analysis
-
max time kernel
150s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:17
Static task
static1
Behavioral task
behavioral1
Sample
07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe
Resource
win10v2004-en-20220112
General
-
Target
07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe
-
Size
35KB
-
MD5
9aea83059ffb3762a8efc9ff59983744
-
SHA1
49a2dcdfd963b23460846f7ca6f0a421e24261ea
-
SHA256
07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3
-
SHA512
30d25cf7aece2343c8c2aaaad726cd028847cbf788e691b35008e0df525ee5ce164d120052a0c168428d2348a0cb0f67f3b05639f63da6236e04fbcb816f6000
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1148 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1088 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exepid process 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exedescription pid process Token: SeIncBasePriorityPrivilege 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.execmd.exedescription pid process target process PID 1768 wrote to memory of 1148 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe MediaCenter.exe PID 1768 wrote to memory of 1088 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe cmd.exe PID 1768 wrote to memory of 1088 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe cmd.exe PID 1768 wrote to memory of 1088 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe cmd.exe PID 1768 wrote to memory of 1088 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe cmd.exe PID 1088 wrote to memory of 1164 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1164 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1164 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1164 1088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe"C:\Users\Admin\AppData\Local\Temp\07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
51c8f86091c968537f49b793c853d007
SHA13643dfccc2c77cd113c7de79a08ca4d2556a47fe
SHA256b477c31be8e99c92ffb511a91fb1f52f2d7ca00e57db98296a4e23509c4bd4e6
SHA5123591fd7dcf9f4dd2ac7a8db355d2ce9e2b703de9256a5e5ac38512fe8e7a5bee9cfc1a307b852158ca072e87fd86bca4a32c6c0b0257ca34343b0c1f25a5c485
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
51c8f86091c968537f49b793c853d007
SHA13643dfccc2c77cd113c7de79a08ca4d2556a47fe
SHA256b477c31be8e99c92ffb511a91fb1f52f2d7ca00e57db98296a4e23509c4bd4e6
SHA5123591fd7dcf9f4dd2ac7a8db355d2ce9e2b703de9256a5e5ac38512fe8e7a5bee9cfc1a307b852158ca072e87fd86bca4a32c6c0b0257ca34343b0c1f25a5c485
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
51c8f86091c968537f49b793c853d007
SHA13643dfccc2c77cd113c7de79a08ca4d2556a47fe
SHA256b477c31be8e99c92ffb511a91fb1f52f2d7ca00e57db98296a4e23509c4bd4e6
SHA5123591fd7dcf9f4dd2ac7a8db355d2ce9e2b703de9256a5e5ac38512fe8e7a5bee9cfc1a307b852158ca072e87fd86bca4a32c6c0b0257ca34343b0c1f25a5c485
-
memory/1768-55-0x00000000758A1000-0x00000000758A3000-memory.dmpFilesize
8KB