Analysis
-
max time kernel
148s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:43
Static task
static1
Behavioral task
behavioral1
Sample
064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe
Resource
win10v2004-en-20220113
General
-
Target
064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe
-
Size
35KB
-
MD5
ca3eb031f52fdb3ee35a0b2ac18d69bd
-
SHA1
8807a0f624d4d9340c57e71686972ddeceeb4ff6
-
SHA256
064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0
-
SHA512
e38df41b2d4ed94776e76c6ea722d5142aa1f7c67c33ecea75d6ddddee7eceafd648827dc677736e21a06892267900e3c6d9d910134931027cce443f6764fa6e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1064 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exepid process 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exedescription pid process Token: SeIncBasePriorityPrivilege 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.execmd.exedescription pid process target process PID 960 wrote to memory of 1620 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe MediaCenter.exe PID 960 wrote to memory of 1064 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe cmd.exe PID 960 wrote to memory of 1064 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe cmd.exe PID 960 wrote to memory of 1064 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe cmd.exe PID 960 wrote to memory of 1064 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe cmd.exe PID 1064 wrote to memory of 1944 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1944 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1944 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1944 1064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe"C:\Users\Admin\AppData\Local\Temp\064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1210adf533a5eba59e4718cf15254bef
SHA11eb0941a280fec0e61b43ff185d11fd2d61185a9
SHA256d308bc94341b9acbd5c4da7289527cdc141d6d2559eefc4a50156b2707a4a352
SHA512090bfdda847bb6b748127c55b1b6a42c97018f16b4d8018bf3159706a7c5aad152097f43435e790feebcbbb6f4d6a88201fecded0d5674639ffb4640161cf470
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1210adf533a5eba59e4718cf15254bef
SHA11eb0941a280fec0e61b43ff185d11fd2d61185a9
SHA256d308bc94341b9acbd5c4da7289527cdc141d6d2559eefc4a50156b2707a4a352
SHA512090bfdda847bb6b748127c55b1b6a42c97018f16b4d8018bf3159706a7c5aad152097f43435e790feebcbbb6f4d6a88201fecded0d5674639ffb4640161cf470
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1210adf533a5eba59e4718cf15254bef
SHA11eb0941a280fec0e61b43ff185d11fd2d61185a9
SHA256d308bc94341b9acbd5c4da7289527cdc141d6d2559eefc4a50156b2707a4a352
SHA512090bfdda847bb6b748127c55b1b6a42c97018f16b4d8018bf3159706a7c5aad152097f43435e790feebcbbb6f4d6a88201fecded0d5674639ffb4640161cf470
-
memory/960-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB