Analysis
-
max time kernel
119s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:33
Static task
static1
Behavioral task
behavioral1
Sample
06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe
Resource
win10v2004-en-20220112
General
-
Target
06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe
-
Size
36KB
-
MD5
3cc997117eeada8970ad6d66b0be0a0b
-
SHA1
b524dad3c049a86c2394a42404f8f79e0f9d659e
-
SHA256
06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369
-
SHA512
c6d9de8964118456e67ca427ff95e0b411df56c2834e476ca5c5e72e6d6c5bbcce833e7dabc28dbec5042b838ffb4726682077e45f552c3411766ac01c67b419
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1148 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1088 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exepid process 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exedescription pid process Token: SeIncBasePriorityPrivilege 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.execmd.exedescription pid process target process PID 1768 wrote to memory of 1148 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe MediaCenter.exe PID 1768 wrote to memory of 1088 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe cmd.exe PID 1768 wrote to memory of 1088 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe cmd.exe PID 1768 wrote to memory of 1088 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe cmd.exe PID 1768 wrote to memory of 1088 1768 06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe cmd.exe PID 1088 wrote to memory of 1164 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1164 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1164 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1164 1088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe"C:\Users\Admin\AppData\Local\Temp\06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06d3ac5d3e5c284b70704ecf2721348484f6c5b94e2fdab1663c0f3c52120369.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f2001ab1517aa1744629f4a6ec0581df
SHA1d5a455a07ec87ff1a55f61dc356bc4e5a853df4d
SHA256b5dedc3b203b90c5b981d5ba74e3ce0bdf6c71d31caa25150ce6884208c4c7ed
SHA5126f603c8c0836c43e8775087044acde17858f12c4430141265c7b9617739d5e607b74dc0ce3963c24326fbcbcb0d9fe4675be64946c86969e3595feac8b7ea634
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f2001ab1517aa1744629f4a6ec0581df
SHA1d5a455a07ec87ff1a55f61dc356bc4e5a853df4d
SHA256b5dedc3b203b90c5b981d5ba74e3ce0bdf6c71d31caa25150ce6884208c4c7ed
SHA5126f603c8c0836c43e8775087044acde17858f12c4430141265c7b9617739d5e607b74dc0ce3963c24326fbcbcb0d9fe4675be64946c86969e3595feac8b7ea634
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f2001ab1517aa1744629f4a6ec0581df
SHA1d5a455a07ec87ff1a55f61dc356bc4e5a853df4d
SHA256b5dedc3b203b90c5b981d5ba74e3ce0bdf6c71d31caa25150ce6884208c4c7ed
SHA5126f603c8c0836c43e8775087044acde17858f12c4430141265c7b9617739d5e607b74dc0ce3963c24326fbcbcb0d9fe4675be64946c86969e3595feac8b7ea634
-
memory/1768-55-0x00000000758A1000-0x00000000758A3000-memory.dmpFilesize
8KB