Analysis
-
max time kernel
123s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:45
Static task
static1
Behavioral task
behavioral1
Sample
0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe
Resource
win10v2004-en-20220113
General
-
Target
0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe
-
Size
58KB
-
MD5
7fdcb9d5cc8c8c8a92ab64f04804b668
-
SHA1
d3361549e4933fd61e06ced2e843c8efd982fd00
-
SHA256
0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252
-
SHA512
ad8febf845d1a06a71cf129415a637a55d5798e19df7486e70e65be1a7aa29d9b59bc0548b67d5a8939da1084bce2f02f046cae1194cb406a7fd9ddb4c379f7e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1040 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exepid process 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exedescription pid process Token: SeIncBasePriorityPrivilege 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.execmd.exedescription pid process target process PID 1660 wrote to memory of 1040 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe MediaCenter.exe PID 1660 wrote to memory of 1040 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe MediaCenter.exe PID 1660 wrote to memory of 1040 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe MediaCenter.exe PID 1660 wrote to memory of 1040 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe MediaCenter.exe PID 1660 wrote to memory of 432 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe cmd.exe PID 1660 wrote to memory of 432 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe cmd.exe PID 1660 wrote to memory of 432 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe cmd.exe PID 1660 wrote to memory of 432 1660 0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe cmd.exe PID 432 wrote to memory of 1932 432 cmd.exe PING.EXE PID 432 wrote to memory of 1932 432 cmd.exe PING.EXE PID 432 wrote to memory of 1932 432 cmd.exe PING.EXE PID 432 wrote to memory of 1932 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe"C:\Users\Admin\AppData\Local\Temp\0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0637ce07eff87ba42108fcfb2f561ba03fe77e85b0f641d3e62d87b960a19252.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff9da213b1047d077f45432eb6538076
SHA1349b6b163aa7594be29db2117a319bfd1628eed5
SHA256b7f10664772fd75bab95f37c5731333bd8aa6d9fa6b97a69c639730cf665933c
SHA5126b92108f0c2b1792d83bff50742effb9b56b9b1b6b73311858eb11ae81bf90813d0cba455aab362405f0ecf9d068f3732b948631b61a372b25f264163edfba73
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff9da213b1047d077f45432eb6538076
SHA1349b6b163aa7594be29db2117a319bfd1628eed5
SHA256b7f10664772fd75bab95f37c5731333bd8aa6d9fa6b97a69c639730cf665933c
SHA5126b92108f0c2b1792d83bff50742effb9b56b9b1b6b73311858eb11ae81bf90813d0cba455aab362405f0ecf9d068f3732b948631b61a372b25f264163edfba73
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff9da213b1047d077f45432eb6538076
SHA1349b6b163aa7594be29db2117a319bfd1628eed5
SHA256b7f10664772fd75bab95f37c5731333bd8aa6d9fa6b97a69c639730cf665933c
SHA5126b92108f0c2b1792d83bff50742effb9b56b9b1b6b73311858eb11ae81bf90813d0cba455aab362405f0ecf9d068f3732b948631b61a372b25f264163edfba73
-
memory/1660-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB