Analysis
-
max time kernel
119s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe
Resource
win10v2004-en-20220112
General
-
Target
02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe
-
Size
35KB
-
MD5
27e4e50882757b307e72b2f0f9932597
-
SHA1
7f40ee24411d0d5bd6fc638135e35cfb7199edcc
-
SHA256
02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56
-
SHA512
3cd18038af9aaadb3fcc61413239394a729bd978601125a277100eb9f0413550b8b168443ba70ca616bb46277d5f0f7007f318cde43580f9c3ce0945128a10b4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1944 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exepid process 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exedescription pid process Token: SeIncBasePriorityPrivilege 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.execmd.exedescription pid process target process PID 1696 wrote to memory of 316 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe MediaCenter.exe PID 1696 wrote to memory of 1944 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe cmd.exe PID 1696 wrote to memory of 1944 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe cmd.exe PID 1696 wrote to memory of 1944 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe cmd.exe PID 1696 wrote to memory of 1944 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe cmd.exe PID 1944 wrote to memory of 1088 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1088 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1088 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1088 1944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe"C:\Users\Admin\AppData\Local\Temp\02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
46a37330301a379e6d7a8bad8fde7359
SHA1b672c074fbda4756921a38fc104d1720d0e281ac
SHA2568f68edd37cb6cb4da6c936053c42637fd90c28c60f5a4e339158598e69350f10
SHA512f901702e9a0d9bf52eb00e8ae961db53a4362cf2cf85a3b81154ae8b0aa47e201a2f95e1acf22f460b6af8a249bee0712f3de9b64a1442ece9c5de8c90130846
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
46a37330301a379e6d7a8bad8fde7359
SHA1b672c074fbda4756921a38fc104d1720d0e281ac
SHA2568f68edd37cb6cb4da6c936053c42637fd90c28c60f5a4e339158598e69350f10
SHA512f901702e9a0d9bf52eb00e8ae961db53a4362cf2cf85a3b81154ae8b0aa47e201a2f95e1acf22f460b6af8a249bee0712f3de9b64a1442ece9c5de8c90130846
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
46a37330301a379e6d7a8bad8fde7359
SHA1b672c074fbda4756921a38fc104d1720d0e281ac
SHA2568f68edd37cb6cb4da6c936053c42637fd90c28c60f5a4e339158598e69350f10
SHA512f901702e9a0d9bf52eb00e8ae961db53a4362cf2cf85a3b81154ae8b0aa47e201a2f95e1acf22f460b6af8a249bee0712f3de9b64a1442ece9c5de8c90130846
-
memory/1696-54-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB