Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:17
Static task
static1
Behavioral task
behavioral1
Sample
04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe
Resource
win10v2004-en-20220113
General
-
Target
04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe
-
Size
35KB
-
MD5
b11d4d1e15c01683f34ffb0c3d8380b1
-
SHA1
cfdea9f6402cf0f0261f2e5c83b73810853154ee
-
SHA256
04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1
-
SHA512
6483bde1fe12bbbb258de6eb58592ef027c4283b4b097d9b738de5802d4487b94c323c078b41f84d4501014a886f23b8e5a28e0bbdd788cce5495b91da724ecf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1724 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exepid process 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exedescription pid process Token: SeIncBasePriorityPrivilege 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.execmd.exedescription pid process target process PID 836 wrote to memory of 1588 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe MediaCenter.exe PID 836 wrote to memory of 1588 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe MediaCenter.exe PID 836 wrote to memory of 1588 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe MediaCenter.exe PID 836 wrote to memory of 1588 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe MediaCenter.exe PID 836 wrote to memory of 1724 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe cmd.exe PID 836 wrote to memory of 1724 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe cmd.exe PID 836 wrote to memory of 1724 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe cmd.exe PID 836 wrote to memory of 1724 836 04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe cmd.exe PID 1724 wrote to memory of 396 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 396 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 396 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 396 1724 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe"C:\Users\Admin\AppData\Local\Temp\04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04c6b2185d784c4f90b72544bf9059921c071b247f6dfb8f3dfb649480e51dd1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1684ea670608c793d82f8ac5f2befb93
SHA17fca8334c5f3b9f8a343eab3e17832d3dfdba7b0
SHA256a134c0c7d22d54aebe3d1ffc14a5c74b596c0afe63fe67d0c15a5c2cedeec3b6
SHA51259ae3a8a13f8f39facf791aa2b6cbb56c47e625deba9d399b5048af4be5cbd20df28b72628060d86a76f956dae309bc2965ec270733570d921c24e0d68dbb44b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1684ea670608c793d82f8ac5f2befb93
SHA17fca8334c5f3b9f8a343eab3e17832d3dfdba7b0
SHA256a134c0c7d22d54aebe3d1ffc14a5c74b596c0afe63fe67d0c15a5c2cedeec3b6
SHA51259ae3a8a13f8f39facf791aa2b6cbb56c47e625deba9d399b5048af4be5cbd20df28b72628060d86a76f956dae309bc2965ec270733570d921c24e0d68dbb44b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1684ea670608c793d82f8ac5f2befb93
SHA17fca8334c5f3b9f8a343eab3e17832d3dfdba7b0
SHA256a134c0c7d22d54aebe3d1ffc14a5c74b596c0afe63fe67d0c15a5c2cedeec3b6
SHA51259ae3a8a13f8f39facf791aa2b6cbb56c47e625deba9d399b5048af4be5cbd20df28b72628060d86a76f956dae309bc2965ec270733570d921c24e0d68dbb44b
-
memory/836-54-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB