Analysis
-
max time kernel
119s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe
Resource
win10v2004-en-20220113
General
-
Target
06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe
-
Size
36KB
-
MD5
298b4aa1c35038da0f9bb828840f54a9
-
SHA1
56ec1c11bd2bb1a8b27357961228a0871385e048
-
SHA256
06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06
-
SHA512
ba38491f3cb3a3d291cc06ecac821e0b4652524a2856360e67710f7696d1b3cefbb006cee30b64e324d0c4f65e6bfbcba8a797f6b57d91f79ef19ddc42ebadfe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1896 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exepid process 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exedescription pid process Token: SeIncBasePriorityPrivilege 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.execmd.exedescription pid process target process PID 1776 wrote to memory of 1896 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe MediaCenter.exe PID 1776 wrote to memory of 1896 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe MediaCenter.exe PID 1776 wrote to memory of 1896 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe MediaCenter.exe PID 1776 wrote to memory of 1896 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe MediaCenter.exe PID 1776 wrote to memory of 828 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe cmd.exe PID 1776 wrote to memory of 828 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe cmd.exe PID 1776 wrote to memory of 828 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe cmd.exe PID 1776 wrote to memory of 828 1776 06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe cmd.exe PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe"C:\Users\Admin\AppData\Local\Temp\06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06be3e0ad78f6334cf97518d61a0e102d61ad764f7fa0ca54a572945b0810c06.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
64cf720663df2ab44fe7d3cb74f78f03
SHA19e652644690f0e5ac90cf2c4349dc32d7699c54c
SHA256b347ab85427ada0124ac9a042f96351c2d68ef203a24d1a413343d48ec097f4d
SHA5120f5ccfdc933545ed588624def3ff3a2c722a21a2a3e1d1c2dee254a93b08f346971cd265e82999b7b1c266f896e9f3feaca4dad50270ca2f690507a2b5e43937
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
64cf720663df2ab44fe7d3cb74f78f03
SHA19e652644690f0e5ac90cf2c4349dc32d7699c54c
SHA256b347ab85427ada0124ac9a042f96351c2d68ef203a24d1a413343d48ec097f4d
SHA5120f5ccfdc933545ed588624def3ff3a2c722a21a2a3e1d1c2dee254a93b08f346971cd265e82999b7b1c266f896e9f3feaca4dad50270ca2f690507a2b5e43937
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
64cf720663df2ab44fe7d3cb74f78f03
SHA19e652644690f0e5ac90cf2c4349dc32d7699c54c
SHA256b347ab85427ada0124ac9a042f96351c2d68ef203a24d1a413343d48ec097f4d
SHA5120f5ccfdc933545ed588624def3ff3a2c722a21a2a3e1d1c2dee254a93b08f346971cd265e82999b7b1c266f896e9f3feaca4dad50270ca2f690507a2b5e43937
-
memory/1776-53-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB