Analysis
-
max time kernel
121s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:28
Static task
static1
Behavioral task
behavioral1
Sample
07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe
Resource
win10v2004-en-20220112
General
-
Target
07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe
-
Size
36KB
-
MD5
720305eac22d666be073a16059886716
-
SHA1
9d39c115a41d3a0c938cea9512a148a3e8cb61f5
-
SHA256
07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37
-
SHA512
767dcc1ccff4364c757a1bf814b9af59adb77c8a48c8cba9eafea311b8ac96ce5bfbe02fb50a7f8a509394e7bc6651110071e26af36003082a28430303381885
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1896 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exepid process 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exedescription pid process Token: SeIncBasePriorityPrivilege 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.execmd.exedescription pid process target process PID 952 wrote to memory of 1896 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe MediaCenter.exe PID 952 wrote to memory of 1896 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe MediaCenter.exe PID 952 wrote to memory of 1896 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe MediaCenter.exe PID 952 wrote to memory of 1896 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe MediaCenter.exe PID 952 wrote to memory of 1072 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe cmd.exe PID 952 wrote to memory of 1072 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe cmd.exe PID 952 wrote to memory of 1072 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe cmd.exe PID 952 wrote to memory of 1072 952 07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe cmd.exe PID 1072 wrote to memory of 1968 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1968 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1968 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1968 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe"C:\Users\Admin\AppData\Local\Temp\07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07164a3615db858db16a3565edf71ff5b0cd0c4ae8b04b1de3e97a325f44ea37.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c9137d65fa90ee30e776822ecf4f45d0
SHA1ec675d771c9bf327c500ac76cb59348d0d0a7db8
SHA256910cde079657f1becc44c0ce504f93eef3199eef28e3b88596d010e1ab0783d9
SHA512c1a5598eb9a393f34d25d313a0d460ed34de63909264be7c3cf1b616ac22037129aaa95a436743031cf13d3e44b83f3c38a0963d989939e5a62779f63fecb5bd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c9137d65fa90ee30e776822ecf4f45d0
SHA1ec675d771c9bf327c500ac76cb59348d0d0a7db8
SHA256910cde079657f1becc44c0ce504f93eef3199eef28e3b88596d010e1ab0783d9
SHA512c1a5598eb9a393f34d25d313a0d460ed34de63909264be7c3cf1b616ac22037129aaa95a436743031cf13d3e44b83f3c38a0963d989939e5a62779f63fecb5bd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c9137d65fa90ee30e776822ecf4f45d0
SHA1ec675d771c9bf327c500ac76cb59348d0d0a7db8
SHA256910cde079657f1becc44c0ce504f93eef3199eef28e3b88596d010e1ab0783d9
SHA512c1a5598eb9a393f34d25d313a0d460ed34de63909264be7c3cf1b616ac22037129aaa95a436743031cf13d3e44b83f3c38a0963d989939e5a62779f63fecb5bd
-
memory/952-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB