Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:47
Static task
static1
Behavioral task
behavioral1
Sample
06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe
Resource
win10v2004-en-20220112
General
-
Target
06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe
-
Size
58KB
-
MD5
6fcd910e4221a6df5a23757ca723cd7f
-
SHA1
a5f30166b9ac80c7370a81b428a9da38d4e0a618
-
SHA256
06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c
-
SHA512
4ce21f94947e76c169375c26cba1d4ec648b9bf79a0a285b22cc9e5b126e103236ab662609cae34ff0da3595de4f4aa5a25c06abea2f64875281109886136929
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1484 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exepid process 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exedescription pid process Token: SeIncBasePriorityPrivilege 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.execmd.exedescription pid process target process PID 1892 wrote to memory of 1224 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe MediaCenter.exe PID 1892 wrote to memory of 1484 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe cmd.exe PID 1892 wrote to memory of 1484 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe cmd.exe PID 1892 wrote to memory of 1484 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe cmd.exe PID 1892 wrote to memory of 1484 1892 06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe cmd.exe PID 1484 wrote to memory of 1800 1484 cmd.exe PING.EXE PID 1484 wrote to memory of 1800 1484 cmd.exe PING.EXE PID 1484 wrote to memory of 1800 1484 cmd.exe PING.EXE PID 1484 wrote to memory of 1800 1484 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe"C:\Users\Admin\AppData\Local\Temp\06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06212260432d2b80ec1226ecf72839b11edf8f080152ad6e5a42093d8456191c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
63d3e9fcbae00f0d64382fad23e2451e
SHA16981e8324312593ad34f37c2d64ee9cc26cbd728
SHA256b20c1ce44392659d233741ce515014161d454e082e6d045261b033c3d21c47cf
SHA5121667a34f5484740121cdf58ed805c0a45f7d7ed056a7679cdc8f7986065da293437bf1febc9b07d6129d2e77b03fa6a25bd13ea611a51b1a4808ca4992607f69
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
63d3e9fcbae00f0d64382fad23e2451e
SHA16981e8324312593ad34f37c2d64ee9cc26cbd728
SHA256b20c1ce44392659d233741ce515014161d454e082e6d045261b033c3d21c47cf
SHA5121667a34f5484740121cdf58ed805c0a45f7d7ed056a7679cdc8f7986065da293437bf1febc9b07d6129d2e77b03fa6a25bd13ea611a51b1a4808ca4992607f69
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
63d3e9fcbae00f0d64382fad23e2451e
SHA16981e8324312593ad34f37c2d64ee9cc26cbd728
SHA256b20c1ce44392659d233741ce515014161d454e082e6d045261b033c3d21c47cf
SHA5121667a34f5484740121cdf58ed805c0a45f7d7ed056a7679cdc8f7986065da293437bf1febc9b07d6129d2e77b03fa6a25bd13ea611a51b1a4808ca4992607f69
-
memory/1892-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB