Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:12
Static task
static1
Behavioral task
behavioral1
Sample
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe
Resource
win10v2004-en-20220112
General
-
Target
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe
-
Size
58KB
-
MD5
0758dfc725cb094cd9801b0c83de0561
-
SHA1
cf980ea496395384722c7ca34b302aec485c2dde
-
SHA256
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a
-
SHA512
2b131b3b19765fe44b44ed6604f5114636aa5d1cb34826b1ed480664c835bb8b7ed681b9be5c1ce3026c1739e785c32ce0f110844d4a816b8829a135055e35d2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1028 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exepid process 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exedescription pid process Token: SeIncBasePriorityPrivilege 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.execmd.exedescription pid process target process PID 960 wrote to memory of 1028 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe MediaCenter.exe PID 960 wrote to memory of 432 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe cmd.exe PID 960 wrote to memory of 432 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe cmd.exe PID 960 wrote to memory of 432 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe cmd.exe PID 960 wrote to memory of 432 960 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe cmd.exe PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe"C:\Users\Admin\AppData\Local\Temp\050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a86241e193bba779b57290fe823caa1c
SHA1deb475c5678bd059934ba322ae1ebbc1d746f785
SHA2564446403c23dbc40b2c12ef8280af6bf1f5b2aac92d3670fe140af59d99a67aa1
SHA512e93ee8a56710bb3ad99f6f0de293cc61962a1579ad685ff6c7d841aabf485ac1b01707b6eff7966fc8760ef9537c7dd7f9908ec9cd3d3cfe2228a401506c2d1a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a86241e193bba779b57290fe823caa1c
SHA1deb475c5678bd059934ba322ae1ebbc1d746f785
SHA2564446403c23dbc40b2c12ef8280af6bf1f5b2aac92d3670fe140af59d99a67aa1
SHA512e93ee8a56710bb3ad99f6f0de293cc61962a1579ad685ff6c7d841aabf485ac1b01707b6eff7966fc8760ef9537c7dd7f9908ec9cd3d3cfe2228a401506c2d1a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a86241e193bba779b57290fe823caa1c
SHA1deb475c5678bd059934ba322ae1ebbc1d746f785
SHA2564446403c23dbc40b2c12ef8280af6bf1f5b2aac92d3670fe140af59d99a67aa1
SHA512e93ee8a56710bb3ad99f6f0de293cc61962a1579ad685ff6c7d841aabf485ac1b01707b6eff7966fc8760ef9537c7dd7f9908ec9cd3d3cfe2228a401506c2d1a
-
memory/960-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB