Analysis
-
max time kernel
154s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
Resource
win10v2004-en-20220112
General
-
Target
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
-
Size
60KB
-
MD5
98277bd1adff6b1265332dcce9ba70bd
-
SHA1
4cf764c6743f556ae168758b39e50266aceabc72
-
SHA256
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b
-
SHA512
3d6204c817d1007d45d4c733b03cf43890044af71113ee946c7dffa5f1e09f4f024d4eee6692552444297b7771b51c201c06200d4e73efad5b3e90554e894e79
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 832 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exepid process 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exedescription pid process Token: SeIncBasePriorityPrivilege 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.execmd.exedescription pid process target process PID 1900 wrote to memory of 1224 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe MediaCenter.exe PID 1900 wrote to memory of 1224 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe MediaCenter.exe PID 1900 wrote to memory of 1224 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe MediaCenter.exe PID 1900 wrote to memory of 1224 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe MediaCenter.exe PID 1900 wrote to memory of 832 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe cmd.exe PID 1900 wrote to memory of 832 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe cmd.exe PID 1900 wrote to memory of 832 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe cmd.exe PID 1900 wrote to memory of 832 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe cmd.exe PID 832 wrote to memory of 1248 832 cmd.exe PING.EXE PID 832 wrote to memory of 1248 832 cmd.exe PING.EXE PID 832 wrote to memory of 1248 832 cmd.exe PING.EXE PID 832 wrote to memory of 1248 832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe"C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4057315e4aff96553bb8f44409bae90b
SHA14b82eda54fdee9a6a959f535c5495b8965ec274c
SHA256da0c9c0d04af863620e7abdf496a1bb2e65f9980ac456bfc1609a33a09f1425d
SHA512e2292d6b85dabab5f1d9bb73ba0fab61ac2526114125eb9429868b96c49e290499694106e5bcae8ddd7afb2493759ceffde95f941f3410d429784a50ff795379
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4057315e4aff96553bb8f44409bae90b
SHA14b82eda54fdee9a6a959f535c5495b8965ec274c
SHA256da0c9c0d04af863620e7abdf496a1bb2e65f9980ac456bfc1609a33a09f1425d
SHA512e2292d6b85dabab5f1d9bb73ba0fab61ac2526114125eb9429868b96c49e290499694106e5bcae8ddd7afb2493759ceffde95f941f3410d429784a50ff795379
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4057315e4aff96553bb8f44409bae90b
SHA14b82eda54fdee9a6a959f535c5495b8965ec274c
SHA256da0c9c0d04af863620e7abdf496a1bb2e65f9980ac456bfc1609a33a09f1425d
SHA512e2292d6b85dabab5f1d9bb73ba0fab61ac2526114125eb9429868b96c49e290499694106e5bcae8ddd7afb2493759ceffde95f941f3410d429784a50ff795379
-
memory/1900-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB