Analysis
-
max time kernel
124s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe
Resource
win10v2004-en-20220113
General
-
Target
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe
-
Size
36KB
-
MD5
069be2a2de10eeb2e668062fd079cb77
-
SHA1
47ef673a9c6dc1bf453e06215052385c591d4db1
-
SHA256
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a
-
SHA512
2077b4467f450aaf7ca7e87659295c5e3ab2c15ce8b49e58800b3167bbf6f94412bbbc45a0caada71c7b187bc79c48349935cada7ba0445d50ee419e2f7d6b48
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1712 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1932 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exepid process 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exedescription pid process Token: SeIncBasePriorityPrivilege 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.execmd.exedescription pid process target process PID 964 wrote to memory of 1712 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe MediaCenter.exe PID 964 wrote to memory of 1932 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe cmd.exe PID 964 wrote to memory of 1932 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe cmd.exe PID 964 wrote to memory of 1932 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe cmd.exe PID 964 wrote to memory of 1932 964 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe cmd.exe PID 1932 wrote to memory of 1248 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 1248 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 1248 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 1248 1932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe"C:\Users\Admin\AppData\Local\Temp\060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
02a4a531d52dd1326b95a007fee136af
SHA15859c46ffbcf59b66a0fd9af17a4fbcc00f9c42f
SHA2561175c14848fcd73148d4890afabfab36fa1f9bd91605b438b594be016f3de911
SHA512f31d0349bad98a7e58a350adde622bfc84123f0dd58e426a2a14d4f91a85d954f65e70049a53a68780d16c38a0f1083dfe0e7dcbe99ba4034319f82b9998ce47
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
02a4a531d52dd1326b95a007fee136af
SHA15859c46ffbcf59b66a0fd9af17a4fbcc00f9c42f
SHA2561175c14848fcd73148d4890afabfab36fa1f9bd91605b438b594be016f3de911
SHA512f31d0349bad98a7e58a350adde622bfc84123f0dd58e426a2a14d4f91a85d954f65e70049a53a68780d16c38a0f1083dfe0e7dcbe99ba4034319f82b9998ce47
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
02a4a531d52dd1326b95a007fee136af
SHA15859c46ffbcf59b66a0fd9af17a4fbcc00f9c42f
SHA2561175c14848fcd73148d4890afabfab36fa1f9bd91605b438b594be016f3de911
SHA512f31d0349bad98a7e58a350adde622bfc84123f0dd58e426a2a14d4f91a85d954f65e70049a53a68780d16c38a0f1083dfe0e7dcbe99ba4034319f82b9998ce47
-
memory/964-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB