Analysis
-
max time kernel
120s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
Resource
win10v2004-en-20220113
General
-
Target
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
-
Size
60KB
-
MD5
328dbbe5e12f97f4d9ad1699a8f1acab
-
SHA1
a73b30bd40c731bc69ae79159e26ca0b68115661
-
SHA256
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f
-
SHA512
5430210b7d6e01f8d980be4ee749b45470e6e98c4124aab5aafbd9632cdeab3d5d40a7546cf58082a5d5a0c1fa5db42bb8a1d8bfbfa49349c51ea445cf7ecb8a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1712 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 804 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exepid process 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exedescription pid process Token: SeIncBasePriorityPrivilege 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.execmd.exedescription pid process target process PID 948 wrote to memory of 1712 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe MediaCenter.exe PID 948 wrote to memory of 1712 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe MediaCenter.exe PID 948 wrote to memory of 1712 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe MediaCenter.exe PID 948 wrote to memory of 1712 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe MediaCenter.exe PID 948 wrote to memory of 804 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe cmd.exe PID 948 wrote to memory of 804 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe cmd.exe PID 948 wrote to memory of 804 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe cmd.exe PID 948 wrote to memory of 804 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe cmd.exe PID 804 wrote to memory of 296 804 cmd.exe PING.EXE PID 804 wrote to memory of 296 804 cmd.exe PING.EXE PID 804 wrote to memory of 296 804 cmd.exe PING.EXE PID 804 wrote to memory of 296 804 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe"C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5964cdddc061b691582cb76ecf658003
SHA1be1cc7803d5974d37a65255ac0e418e02d45b594
SHA256dc17452b38f23365e25148d316e44956cb8551eb97e33b4a82496d25248302be
SHA512ff68a9524f4053e4c9a760315ee10dbf6f9a1b5be87f888aa8eb8ee5fc378fd6f01d797c03775f6672db441e75d20ae7b80bdb599247239832b83738965e6c29
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5964cdddc061b691582cb76ecf658003
SHA1be1cc7803d5974d37a65255ac0e418e02d45b594
SHA256dc17452b38f23365e25148d316e44956cb8551eb97e33b4a82496d25248302be
SHA512ff68a9524f4053e4c9a760315ee10dbf6f9a1b5be87f888aa8eb8ee5fc378fd6f01d797c03775f6672db441e75d20ae7b80bdb599247239832b83738965e6c29
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5964cdddc061b691582cb76ecf658003
SHA1be1cc7803d5974d37a65255ac0e418e02d45b594
SHA256dc17452b38f23365e25148d316e44956cb8551eb97e33b4a82496d25248302be
SHA512ff68a9524f4053e4c9a760315ee10dbf6f9a1b5be87f888aa8eb8ee5fc378fd6f01d797c03775f6672db441e75d20ae7b80bdb599247239832b83738965e6c29
-
memory/948-54-0x0000000076911000-0x0000000076913000-memory.dmpFilesize
8KB