Analysis
-
max time kernel
151s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:50
Static task
static1
Behavioral task
behavioral1
Sample
06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe
Resource
win10v2004-en-20220113
General
-
Target
06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe
-
Size
60KB
-
MD5
8671c044fd45b2528dbd2f4bbf68c06c
-
SHA1
6363c371d4b274a9529238fa340ed852a8aa5c03
-
SHA256
06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081
-
SHA512
ecdb6c58fe7489a63816760087653c82bd9e1642899b0c2a1a96b87d8cf496d9ead203b7f6fc0207d7f619eb0016d456f6180739f8cf6510113bb69fdefb6e09
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1876 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1648 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exepid process 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exedescription pid process Token: SeIncBasePriorityPrivilege 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.execmd.exedescription pid process target process PID 528 wrote to memory of 1876 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe MediaCenter.exe PID 528 wrote to memory of 1876 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe MediaCenter.exe PID 528 wrote to memory of 1876 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe MediaCenter.exe PID 528 wrote to memory of 1876 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe MediaCenter.exe PID 528 wrote to memory of 1648 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe cmd.exe PID 528 wrote to memory of 1648 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe cmd.exe PID 528 wrote to memory of 1648 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe cmd.exe PID 528 wrote to memory of 1648 528 06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe cmd.exe PID 1648 wrote to memory of 1628 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1628 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1628 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1628 1648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe"C:\Users\Admin\AppData\Local\Temp\06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06031671cc98e9fd76543a44f9ffff750bcaa4fca240b66ef0c933963dee7081.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9c0d28e82877072b3d1b12b9988cacc1
SHA1433812b5219f36fad2c9c02584a62600c7fb03d1
SHA25602922da80af263436a208af81d3a1788c352d7794895c336566d22ed8421dfd8
SHA512fe50183f6dd75a13b48da8352ced202d150c72edf74216abb0f1ff50b356a9b6deac1a22e8ce02b9cb4f09628f87adeeba0f314342d93242bf862328e28f06b2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9c0d28e82877072b3d1b12b9988cacc1
SHA1433812b5219f36fad2c9c02584a62600c7fb03d1
SHA25602922da80af263436a208af81d3a1788c352d7794895c336566d22ed8421dfd8
SHA512fe50183f6dd75a13b48da8352ced202d150c72edf74216abb0f1ff50b356a9b6deac1a22e8ce02b9cb4f09628f87adeeba0f314342d93242bf862328e28f06b2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9c0d28e82877072b3d1b12b9988cacc1
SHA1433812b5219f36fad2c9c02584a62600c7fb03d1
SHA25602922da80af263436a208af81d3a1788c352d7794895c336566d22ed8421dfd8
SHA512fe50183f6dd75a13b48da8352ced202d150c72edf74216abb0f1ff50b356a9b6deac1a22e8ce02b9cb4f09628f87adeeba0f314342d93242bf862328e28f06b2
-
memory/528-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB