Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:19
Static task
static1
Behavioral task
behavioral1
Sample
079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe
Resource
win10v2004-en-20220113
General
-
Target
079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe
-
Size
36KB
-
MD5
38de6fa0d2f030cd0ebc4b60145d6ae1
-
SHA1
04afd032fb87a6458e3b7d56c7d21359bd690392
-
SHA256
079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c
-
SHA512
2437ee224372d51cdf725bf07537d291aa7d63d459634df4fc4cd85004728b33426831b282b3f8478ef553ec6ef1fcd7a50c1f3aa534aca38dc56eb2d329761d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exepid process 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exedescription pid process Token: SeIncBasePriorityPrivilege 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.execmd.exedescription pid process target process PID 1548 wrote to memory of 1608 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe MediaCenter.exe PID 1548 wrote to memory of 396 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe cmd.exe PID 1548 wrote to memory of 396 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe cmd.exe PID 1548 wrote to memory of 396 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe cmd.exe PID 1548 wrote to memory of 396 1548 079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe cmd.exe PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe"C:\Users\Admin\AppData\Local\Temp\079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\079b64868d9bd95684504c9213dcce052de9815d1cc751dfb285072f46c7df0c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
08b74dd19b2a0209f1721348a75773bb
SHA1b1cbc5ae851a083e5c260183beec458afff4e87d
SHA2564619131700955dd7eff3c892e23d331dd5f1db434914f70211f59e63b133306b
SHA512c893146b045a40aad4117a1ad474692652f45a286b9a7844b9574e7306109ca023f7eee451d880e6841844eaf38cbfa3354db337a2d992201c34f0855126567a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
08b74dd19b2a0209f1721348a75773bb
SHA1b1cbc5ae851a083e5c260183beec458afff4e87d
SHA2564619131700955dd7eff3c892e23d331dd5f1db434914f70211f59e63b133306b
SHA512c893146b045a40aad4117a1ad474692652f45a286b9a7844b9574e7306109ca023f7eee451d880e6841844eaf38cbfa3354db337a2d992201c34f0855126567a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
08b74dd19b2a0209f1721348a75773bb
SHA1b1cbc5ae851a083e5c260183beec458afff4e87d
SHA2564619131700955dd7eff3c892e23d331dd5f1db434914f70211f59e63b133306b
SHA512c893146b045a40aad4117a1ad474692652f45a286b9a7844b9574e7306109ca023f7eee451d880e6841844eaf38cbfa3354db337a2d992201c34f0855126567a
-
memory/1548-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB