Analysis
-
max time kernel
121s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:50
Static task
static1
Behavioral task
behavioral1
Sample
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe
Resource
win10v2004-en-20220112
General
-
Target
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe
-
Size
58KB
-
MD5
b56d1b4abf55a0b333f145dad7b52ecb
-
SHA1
925d2dd7f9cfa1b53a27724cf9852d6cc6725568
-
SHA256
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8
-
SHA512
16d049f21ccb48bb845d1e69ac233a15236035c48b9677992c48c8a14b8229e9edc6ba6792a56fae5c74272a17c476840f009cf1100b27826927f1b4f8ee631d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1480 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1700 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exepid process 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exedescription pid process Token: SeIncBasePriorityPrivilege 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.execmd.exedescription pid process target process PID 780 wrote to memory of 1480 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe MediaCenter.exe PID 780 wrote to memory of 1700 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe cmd.exe PID 780 wrote to memory of 1700 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe cmd.exe PID 780 wrote to memory of 1700 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe cmd.exe PID 780 wrote to memory of 1700 780 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe cmd.exe PID 1700 wrote to memory of 924 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 924 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 924 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 924 1700 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe"C:\Users\Admin\AppData\Local\Temp\060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4bb7b1d09e573a3d613dc5d5c3b23914
SHA10f82652c73b9214d3bd4595129e3beb421e6bc32
SHA2563a8fa0909626d2fa8263fd028e8947f03c777a0f893051eddf3bf8bbe55d8285
SHA51252e8e8544e466f195feef72beb34c3dbfb023523b297aa41022bd4122618c2b0ab02f5a48736843e720296cc62ee3ce6b2acff552d0a75e920fb7ecf39c00187
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4bb7b1d09e573a3d613dc5d5c3b23914
SHA10f82652c73b9214d3bd4595129e3beb421e6bc32
SHA2563a8fa0909626d2fa8263fd028e8947f03c777a0f893051eddf3bf8bbe55d8285
SHA51252e8e8544e466f195feef72beb34c3dbfb023523b297aa41022bd4122618c2b0ab02f5a48736843e720296cc62ee3ce6b2acff552d0a75e920fb7ecf39c00187
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4bb7b1d09e573a3d613dc5d5c3b23914
SHA10f82652c73b9214d3bd4595129e3beb421e6bc32
SHA2563a8fa0909626d2fa8263fd028e8947f03c777a0f893051eddf3bf8bbe55d8285
SHA51252e8e8544e466f195feef72beb34c3dbfb023523b297aa41022bd4122618c2b0ab02f5a48736843e720296cc62ee3ce6b2acff552d0a75e920fb7ecf39c00187
-
memory/780-55-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB