Analysis
-
max time kernel
145s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:31
Static task
static1
Behavioral task
behavioral1
Sample
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe
Resource
win10v2004-en-20220112
General
-
Target
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe
-
Size
60KB
-
MD5
59ddc36ba5f6bba4a8652f627c6b2f3d
-
SHA1
a29ef12308ecb77f6aa352fdbbd7186d881d247f
-
SHA256
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d
-
SHA512
3aefe825ee9959da2c9003e8eadeabe90d14e0db3eeb7e8092c8760f4a461bb64341c9479f183fdf9af2b13355d4eda7cd79d2cb2537b042dbcb57002ae0834d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1064 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1928 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exepid process 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exedescription pid process Token: SeIncBasePriorityPrivilege 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.execmd.exedescription pid process target process PID 1788 wrote to memory of 1064 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe MediaCenter.exe PID 1788 wrote to memory of 1064 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe MediaCenter.exe PID 1788 wrote to memory of 1064 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe MediaCenter.exe PID 1788 wrote to memory of 1064 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe MediaCenter.exe PID 1788 wrote to memory of 1928 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe cmd.exe PID 1788 wrote to memory of 1928 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe cmd.exe PID 1788 wrote to memory of 1928 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe cmd.exe PID 1788 wrote to memory of 1928 1788 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe cmd.exe PID 1928 wrote to memory of 1900 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1900 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1900 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1900 1928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe"C:\Users\Admin\AppData\Local\Temp\06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e4be9b0dc057b2eecb34fbfb8108878e
SHA1cdf7d67d73bccecad56a1dbcdd375f27fb7f1bf0
SHA2560958bafe471c00cd4a147566bd18abaea2e77cf710a3b2751085b235a26c8c9e
SHA512fdace00b220577b46fef6a4013ba458a18b4b03a11233c6e24ffce8d3faa09f0ec29331e4d1b59e0efd3059faf84de6d102487ad6cad0a2d0215a84f5011516d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e4be9b0dc057b2eecb34fbfb8108878e
SHA1cdf7d67d73bccecad56a1dbcdd375f27fb7f1bf0
SHA2560958bafe471c00cd4a147566bd18abaea2e77cf710a3b2751085b235a26c8c9e
SHA512fdace00b220577b46fef6a4013ba458a18b4b03a11233c6e24ffce8d3faa09f0ec29331e4d1b59e0efd3059faf84de6d102487ad6cad0a2d0215a84f5011516d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e4be9b0dc057b2eecb34fbfb8108878e
SHA1cdf7d67d73bccecad56a1dbcdd375f27fb7f1bf0
SHA2560958bafe471c00cd4a147566bd18abaea2e77cf710a3b2751085b235a26c8c9e
SHA512fdace00b220577b46fef6a4013ba458a18b4b03a11233c6e24ffce8d3faa09f0ec29331e4d1b59e0efd3059faf84de6d102487ad6cad0a2d0215a84f5011516d
-
memory/1788-54-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB