Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:55
Static task
static1
Behavioral task
behavioral1
Sample
0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe
Resource
win10v2004-en-20220112
General
-
Target
0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe
-
Size
35KB
-
MD5
1a8948893d495f5a630e660df31209ad
-
SHA1
4f75d74e2faa95937714a8d1881e22a12121979b
-
SHA256
0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e
-
SHA512
be803a83db0408a211d79875d8afa748001841224ef125cc866059533590bb05ccf0c3b631554f1dd955e1df4e01bc917124999c06a1b213838c550463c5b3c8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1052 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exepid process 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exedescription pid process Token: SeIncBasePriorityPrivilege 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.execmd.exedescription pid process target process PID 808 wrote to memory of 320 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe MediaCenter.exe PID 808 wrote to memory of 320 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe MediaCenter.exe PID 808 wrote to memory of 320 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe MediaCenter.exe PID 808 wrote to memory of 320 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe cmd.exe PID 808 wrote to memory of 1052 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe cmd.exe PID 808 wrote to memory of 1052 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe cmd.exe PID 808 wrote to memory of 1052 808 0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe cmd.exe PID 1052 wrote to memory of 1100 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1100 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1100 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1100 1052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe"C:\Users\Admin\AppData\Local\Temp\0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0302e3d969bd17a024cfa8a2a18063796194cf88a219bf3ee0595a1a11542d9e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ba7eddecdb885745714cb8ebef92261b
SHA1f921ee310384f58f412d4ca175b8f138193dfef4
SHA256459d6013df9187f00263a6de1ee452254748d27fd9aeab1a0106797edc1aef1d
SHA5120dc5cc83109c2df8d2b7f18184d9570180a90286fb2e496ff0d5c68c1e40d8d72234f03389f6b4886e211b4cac7f45a8b242e051ecc19861743fabb5a3b4494f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ba7eddecdb885745714cb8ebef92261b
SHA1f921ee310384f58f412d4ca175b8f138193dfef4
SHA256459d6013df9187f00263a6de1ee452254748d27fd9aeab1a0106797edc1aef1d
SHA5120dc5cc83109c2df8d2b7f18184d9570180a90286fb2e496ff0d5c68c1e40d8d72234f03389f6b4886e211b4cac7f45a8b242e051ecc19861743fabb5a3b4494f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ba7eddecdb885745714cb8ebef92261b
SHA1f921ee310384f58f412d4ca175b8f138193dfef4
SHA256459d6013df9187f00263a6de1ee452254748d27fd9aeab1a0106797edc1aef1d
SHA5120dc5cc83109c2df8d2b7f18184d9570180a90286fb2e496ff0d5c68c1e40d8d72234f03389f6b4886e211b4cac7f45a8b242e051ecc19861743fabb5a3b4494f
-
memory/808-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB