Analysis
-
max time kernel
121s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:19
Static task
static1
Behavioral task
behavioral1
Sample
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe
Resource
win10v2004-en-20220112
General
-
Target
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe
-
Size
35KB
-
MD5
5efb42b9fdebeea249c1b3f5201f482e
-
SHA1
ef1a925efbf5eb46fa5255ddd64a032bba58ed0c
-
SHA256
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c
-
SHA512
3e71c3574b36902959f98b1addffe94b64066f28b062cb0973f1b307982295842b4f1c4afe581055bc5ec4ec7c75b2d8a264eed84d4a2f1d458f80251af37faf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1920 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1644 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exepid process 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.execmd.exedescription pid process target process PID 1672 wrote to memory of 1920 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe MediaCenter.exe PID 1672 wrote to memory of 1920 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe MediaCenter.exe PID 1672 wrote to memory of 1920 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe MediaCenter.exe PID 1672 wrote to memory of 1920 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe MediaCenter.exe PID 1672 wrote to memory of 1644 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe cmd.exe PID 1672 wrote to memory of 1644 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe cmd.exe PID 1672 wrote to memory of 1644 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe cmd.exe PID 1672 wrote to memory of 1644 1672 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe cmd.exe PID 1644 wrote to memory of 1648 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1648 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1648 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1648 1644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe"C:\Users\Admin\AppData\Local\Temp\079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8bcede96fdf4f7781e8a673dc7cdccc2
SHA1d5ace7f68c32d3d2482ffc577590dcedfe069fef
SHA256a1ae58dc67b571863b68de574740181fcf915c4c2fb8d7c5dcb64a563e38587c
SHA512dc1c0940eb12fd0ffc6098ef5e503d34eae0bb8472a73ccc1f1bcb9dab6f699f6dafb7a3a2c4c8d837c169c0bbcc1c81088c384ec54decbcc0fe9ae77fe18b7f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8bcede96fdf4f7781e8a673dc7cdccc2
SHA1d5ace7f68c32d3d2482ffc577590dcedfe069fef
SHA256a1ae58dc67b571863b68de574740181fcf915c4c2fb8d7c5dcb64a563e38587c
SHA512dc1c0940eb12fd0ffc6098ef5e503d34eae0bb8472a73ccc1f1bcb9dab6f699f6dafb7a3a2c4c8d837c169c0bbcc1c81088c384ec54decbcc0fe9ae77fe18b7f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8bcede96fdf4f7781e8a673dc7cdccc2
SHA1d5ace7f68c32d3d2482ffc577590dcedfe069fef
SHA256a1ae58dc67b571863b68de574740181fcf915c4c2fb8d7c5dcb64a563e38587c
SHA512dc1c0940eb12fd0ffc6098ef5e503d34eae0bb8472a73ccc1f1bcb9dab6f699f6dafb7a3a2c4c8d837c169c0bbcc1c81088c384ec54decbcc0fe9ae77fe18b7f
-
memory/1672-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB