Analysis
-
max time kernel
122s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:33
Static task
static1
Behavioral task
behavioral1
Sample
06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe
Resource
win10v2004-en-20220112
General
-
Target
06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe
-
Size
35KB
-
MD5
1aa1c5811584f9590e461f67b0cd441f
-
SHA1
22acba0dd05f249df9e8d36f3ba799dc3fb8991b
-
SHA256
06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618
-
SHA512
d3fa5abda191d6d6ed2d01bc95429026957ed1d3d9c475ea9d05fccffd1e08f64b8ab9b8f2cfab2779e4834cecc61e2c784ae70799831ea02c4b5c5e394979f1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 840 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exepid process 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exedescription pid process Token: SeIncBasePriorityPrivilege 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.execmd.exedescription pid process target process PID 928 wrote to memory of 840 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe MediaCenter.exe PID 928 wrote to memory of 840 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe MediaCenter.exe PID 928 wrote to memory of 840 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe MediaCenter.exe PID 928 wrote to memory of 840 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe MediaCenter.exe PID 928 wrote to memory of 1828 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe cmd.exe PID 928 wrote to memory of 1828 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe cmd.exe PID 928 wrote to memory of 1828 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe cmd.exe PID 928 wrote to memory of 1828 928 06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe cmd.exe PID 1828 wrote to memory of 1260 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1260 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1260 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1260 1828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe"C:\Users\Admin\AppData\Local\Temp\06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06cfcfa7a67c90f2a219e7b02ec3d10ec6ef00944da734a55c757c9520e84618.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
beabe2dec1cbafca43a87f7f13d63029
SHA1218a7270625ef9c380de98481db24c6c3f1269d9
SHA25607681d996a55f18eadb7af3f7e1c53ef57d71d9f4a908752cdabde01d74d532a
SHA512d82f86cadae4f15dd0282bdba5c39e10a3a4ef05efd6b30851f7f3e3b17058335310ab260714f0098ec21aa02bc32ce1511d1d660e490962c4ed34f934188a6a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
beabe2dec1cbafca43a87f7f13d63029
SHA1218a7270625ef9c380de98481db24c6c3f1269d9
SHA25607681d996a55f18eadb7af3f7e1c53ef57d71d9f4a908752cdabde01d74d532a
SHA512d82f86cadae4f15dd0282bdba5c39e10a3a4ef05efd6b30851f7f3e3b17058335310ab260714f0098ec21aa02bc32ce1511d1d660e490962c4ed34f934188a6a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
beabe2dec1cbafca43a87f7f13d63029
SHA1218a7270625ef9c380de98481db24c6c3f1269d9
SHA25607681d996a55f18eadb7af3f7e1c53ef57d71d9f4a908752cdabde01d74d532a
SHA512d82f86cadae4f15dd0282bdba5c39e10a3a4ef05efd6b30851f7f3e3b17058335310ab260714f0098ec21aa02bc32ce1511d1d660e490962c4ed34f934188a6a
-
memory/928-54-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB