Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:00
Static task
static1
Behavioral task
behavioral1
Sample
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe
Resource
win10v2004-en-20220113
General
-
Target
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe
-
Size
58KB
-
MD5
8394a3790b749ab6b2a4e4490e08099d
-
SHA1
0348178d46bae1717fae050f4c6ca006a955be67
-
SHA256
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9
-
SHA512
708b57534333137c348648e8742884f1e2191ea5b1f70278e88bdaf738d2df42ac796038f78bc863d29b6a0794c02f6a5cfe0c4a4eb4f99af4ae10bed74f4807
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 828 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exepid process 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.execmd.exedescription pid process target process PID 1664 wrote to memory of 828 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe MediaCenter.exe PID 1664 wrote to memory of 1032 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe cmd.exe PID 1664 wrote to memory of 1032 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe cmd.exe PID 1664 wrote to memory of 1032 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe cmd.exe PID 1664 wrote to memory of 1032 1664 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe cmd.exe PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe"C:\Users\Admin\AppData\Local\Temp\02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
82179daff377c457153d79116f2a6c62
SHA18684dde13b7dfebf6892f5343019f7b53dc67bde
SHA256278c6c7527aa47d090c21a2840c6100909f0a1994eda9b80a7109cb6439e7cba
SHA5128c9795be0e70e1fd9f966920aa3ff897c63340eda80a8efb16a23aa700644c8fc32a8d301d677ed0e1184ed25e22e05474d88468e30cf7dbda67bdfe96da0c0d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
82179daff377c457153d79116f2a6c62
SHA18684dde13b7dfebf6892f5343019f7b53dc67bde
SHA256278c6c7527aa47d090c21a2840c6100909f0a1994eda9b80a7109cb6439e7cba
SHA5128c9795be0e70e1fd9f966920aa3ff897c63340eda80a8efb16a23aa700644c8fc32a8d301d677ed0e1184ed25e22e05474d88468e30cf7dbda67bdfe96da0c0d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
82179daff377c457153d79116f2a6c62
SHA18684dde13b7dfebf6892f5343019f7b53dc67bde
SHA256278c6c7527aa47d090c21a2840c6100909f0a1994eda9b80a7109cb6439e7cba
SHA5128c9795be0e70e1fd9f966920aa3ff897c63340eda80a8efb16a23aa700644c8fc32a8d301d677ed0e1184ed25e22e05474d88468e30cf7dbda67bdfe96da0c0d
-
memory/1664-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB