Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:21
Static task
static1
Behavioral task
behavioral1
Sample
049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe
Resource
win10v2004-en-20220112
General
-
Target
049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe
-
Size
35KB
-
MD5
afed24f868254deeddfd934997c4e5e0
-
SHA1
cf52c21c14d31660fd0ac7249c3c950473f45947
-
SHA256
049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f
-
SHA512
a0d75dbd205d5338ab99b072722e70a567ea53888d8aa38b9877cb0f0d2ffc509aeef1e7d1acbd3db4d64e61d3f8dc72bb111c07508f20da6727c1e592ab493e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1292 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1764 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exepid process 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exedescription pid process Token: SeIncBasePriorityPrivilege 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.execmd.exedescription pid process target process PID 1516 wrote to memory of 1292 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe MediaCenter.exe PID 1516 wrote to memory of 1292 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe MediaCenter.exe PID 1516 wrote to memory of 1292 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe MediaCenter.exe PID 1516 wrote to memory of 1292 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe MediaCenter.exe PID 1516 wrote to memory of 1764 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe cmd.exe PID 1516 wrote to memory of 1764 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe cmd.exe PID 1516 wrote to memory of 1764 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe cmd.exe PID 1516 wrote to memory of 1764 1516 049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe cmd.exe PID 1764 wrote to memory of 1568 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 1568 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 1568 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 1568 1764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe"C:\Users\Admin\AppData\Local\Temp\049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\049b574f34d803e5d04a2707f047e597ab0d9a6281695206a7f164e6c8da5a4f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e1342359d878daef44dd3ed07249ef30
SHA103d357497a363cb2839fe84d7c6ac567058d0625
SHA256d98cd70e50f9883908a8284aa221d17436f5f718f9bc2831f4268bf6d806a689
SHA512ec4cef9a3e09f48ab708132827da44c8091599d9717db17fe7aad2b1ff7be1e603f5fcf2ea61fa4bff99a3ac6c7b2f56c4bd6b3958523309b1f4ecff788018ec
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e1342359d878daef44dd3ed07249ef30
SHA103d357497a363cb2839fe84d7c6ac567058d0625
SHA256d98cd70e50f9883908a8284aa221d17436f5f718f9bc2831f4268bf6d806a689
SHA512ec4cef9a3e09f48ab708132827da44c8091599d9717db17fe7aad2b1ff7be1e603f5fcf2ea61fa4bff99a3ac6c7b2f56c4bd6b3958523309b1f4ecff788018ec
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e1342359d878daef44dd3ed07249ef30
SHA103d357497a363cb2839fe84d7c6ac567058d0625
SHA256d98cd70e50f9883908a8284aa221d17436f5f718f9bc2831f4268bf6d806a689
SHA512ec4cef9a3e09f48ab708132827da44c8091599d9717db17fe7aad2b1ff7be1e603f5fcf2ea61fa4bff99a3ac6c7b2f56c4bd6b3958523309b1f4ecff788018ec
-
memory/1516-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB