Analysis
-
max time kernel
125s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:40
Static task
static1
Behavioral task
behavioral1
Sample
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe
Resource
win10v2004-en-20220113
General
-
Target
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe
-
Size
36KB
-
MD5
48a1a958c1b63834a424884c733859ca
-
SHA1
c473b0c37a80da99a6d5636d819fa41a7f6ec4da
-
SHA256
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f
-
SHA512
477646efd64e6d53173f620e429eb5291289ff1d8431cd474dd9b9e876d8a29deba1b2fe6e2dc7941bb69657dfc1726edb1790cdf22404aad9488a9e68cfd44a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 824 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exepid process 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.execmd.exedescription pid process target process PID 1592 wrote to memory of 1320 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe MediaCenter.exe PID 1592 wrote to memory of 1320 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe MediaCenter.exe PID 1592 wrote to memory of 1320 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe MediaCenter.exe PID 1592 wrote to memory of 1320 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe MediaCenter.exe PID 1592 wrote to memory of 824 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe cmd.exe PID 1592 wrote to memory of 824 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe cmd.exe PID 1592 wrote to memory of 824 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe cmd.exe PID 1592 wrote to memory of 824 1592 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe cmd.exe PID 824 wrote to memory of 2024 824 cmd.exe PING.EXE PID 824 wrote to memory of 2024 824 cmd.exe PING.EXE PID 824 wrote to memory of 2024 824 cmd.exe PING.EXE PID 824 wrote to memory of 2024 824 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe"C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
25c7e55b3da472a1531e56efcfff1d69
SHA1550d48dd0ee3412526409ce0dd557484baa05542
SHA256d6020a8ee5dd0ff048a01412c9320c43e5283177e5a3ce2c2d2da6792089f9de
SHA512b61d70cd8292f9c2db1ecb3b8628409d900c2e9169f949e7dbb38cf8f8b67286efd36021a50cc7f873ca4a509a7417e9c88d43ff511b0d59193b604531dab54d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
25c7e55b3da472a1531e56efcfff1d69
SHA1550d48dd0ee3412526409ce0dd557484baa05542
SHA256d6020a8ee5dd0ff048a01412c9320c43e5283177e5a3ce2c2d2da6792089f9de
SHA512b61d70cd8292f9c2db1ecb3b8628409d900c2e9169f949e7dbb38cf8f8b67286efd36021a50cc7f873ca4a509a7417e9c88d43ff511b0d59193b604531dab54d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
25c7e55b3da472a1531e56efcfff1d69
SHA1550d48dd0ee3412526409ce0dd557484baa05542
SHA256d6020a8ee5dd0ff048a01412c9320c43e5283177e5a3ce2c2d2da6792089f9de
SHA512b61d70cd8292f9c2db1ecb3b8628409d900c2e9169f949e7dbb38cf8f8b67286efd36021a50cc7f873ca4a509a7417e9c88d43ff511b0d59193b604531dab54d
-
memory/1592-55-0x00000000758A1000-0x00000000758A3000-memory.dmpFilesize
8KB