Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:51
Static task
static1
Behavioral task
behavioral1
Sample
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe
Resource
win10v2004-en-20220113
General
-
Target
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe
-
Size
36KB
-
MD5
5da558d17a8f6698bfc4ed264d5806e1
-
SHA1
618577ed1a0f663a8aa7d88178f983919d85c7f5
-
SHA256
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf
-
SHA512
502f3b65452c3a96e3a9aaa8727c9f10c227d21881111717fee17a588c50a1c526a0182a7b7760f8e3efbc57363ec04e12e6b3b2539e4da0106637a5c00be977
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1864 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exepid process 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exedescription pid process Token: SeIncBasePriorityPrivilege 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.execmd.exedescription pid process target process PID 952 wrote to memory of 1864 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe MediaCenter.exe PID 952 wrote to memory of 1988 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe cmd.exe PID 952 wrote to memory of 1988 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe cmd.exe PID 952 wrote to memory of 1988 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe cmd.exe PID 952 wrote to memory of 1988 952 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe cmd.exe PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe"C:\Users\Admin\AppData\Local\Temp\05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
303b8c7e3a8bd1432bf0172fdc77e87d
SHA16705bf9dd17f6bebaf2960ce2639547fce53484a
SHA2564a2d237897d9f5774bbbf003eae5a191aa1f31fccebf17d1e8ff2e57e257208f
SHA512100e79c78236f6d3c06e6f52d247a4eb1f308c050660fb6c812d3f7176f6ef8dd5d0d1b27db68d81c66745444ca25769385f0a4f7d97b3eb5cefe7f46f08bd0c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
303b8c7e3a8bd1432bf0172fdc77e87d
SHA16705bf9dd17f6bebaf2960ce2639547fce53484a
SHA2564a2d237897d9f5774bbbf003eae5a191aa1f31fccebf17d1e8ff2e57e257208f
SHA512100e79c78236f6d3c06e6f52d247a4eb1f308c050660fb6c812d3f7176f6ef8dd5d0d1b27db68d81c66745444ca25769385f0a4f7d97b3eb5cefe7f46f08bd0c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
303b8c7e3a8bd1432bf0172fdc77e87d
SHA16705bf9dd17f6bebaf2960ce2639547fce53484a
SHA2564a2d237897d9f5774bbbf003eae5a191aa1f31fccebf17d1e8ff2e57e257208f
SHA512100e79c78236f6d3c06e6f52d247a4eb1f308c050660fb6c812d3f7176f6ef8dd5d0d1b27db68d81c66745444ca25769385f0a4f7d97b3eb5cefe7f46f08bd0c
-
memory/952-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB