Analysis
-
max time kernel
117s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:45
Static task
static1
Behavioral task
behavioral1
Sample
0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe
Resource
win10v2004-en-20220113
General
-
Target
0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe
-
Size
58KB
-
MD5
88d30bb6e46671e9afe8a6af93684bd4
-
SHA1
7e0cd53ee2df4ee852538971fa2c7ff2589fb48f
-
SHA256
0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766
-
SHA512
d192e10de341a0835771a7220011b3891fbea46ff6cf223a91356618947dbcf603124666b3aa636ad0bc75e937ed9690eebb4c242ee2fec7cedc6740515673e5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1712 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1448 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exepid process 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exedescription pid process Token: SeIncBasePriorityPrivilege 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.execmd.exedescription pid process target process PID 964 wrote to memory of 1712 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe MediaCenter.exe PID 964 wrote to memory of 1448 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe cmd.exe PID 964 wrote to memory of 1448 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe cmd.exe PID 964 wrote to memory of 1448 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe cmd.exe PID 964 wrote to memory of 1448 964 0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe cmd.exe PID 1448 wrote to memory of 1844 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1844 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1844 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 1844 1448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe"C:\Users\Admin\AppData\Local\Temp\0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0635a4d7e90012e58e4d12fa69ab4759de501f38c59dc8b65120a58708eb2766.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
875fa00ea36e8ecfc008ab1497d2ad45
SHA18675756df9f37bddd09ea3f80f9b80e8d4b06d29
SHA2563f6c10df2a88b240d076e6680ab644e158e6d5ae11e71641c3c5f95309c6d1e4
SHA51238df2594ee3b2c6c2e4be5f167dc449f8da055ce8bc7e6f4922d6263a8ff926590c962d53a088d8341fed16094092d95610620f656f005a8c75a2bbe863df999
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
875fa00ea36e8ecfc008ab1497d2ad45
SHA18675756df9f37bddd09ea3f80f9b80e8d4b06d29
SHA2563f6c10df2a88b240d076e6680ab644e158e6d5ae11e71641c3c5f95309c6d1e4
SHA51238df2594ee3b2c6c2e4be5f167dc449f8da055ce8bc7e6f4922d6263a8ff926590c962d53a088d8341fed16094092d95610620f656f005a8c75a2bbe863df999
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
875fa00ea36e8ecfc008ab1497d2ad45
SHA18675756df9f37bddd09ea3f80f9b80e8d4b06d29
SHA2563f6c10df2a88b240d076e6680ab644e158e6d5ae11e71641c3c5f95309c6d1e4
SHA51238df2594ee3b2c6c2e4be5f167dc449f8da055ce8bc7e6f4922d6263a8ff926590c962d53a088d8341fed16094092d95610620f656f005a8c75a2bbe863df999
-
memory/964-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB