Analysis
-
max time kernel
118s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:21
Static task
static1
Behavioral task
behavioral1
Sample
049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe
Resource
win10v2004-en-20220113
General
-
Target
049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe
-
Size
36KB
-
MD5
0c7b4dfab30b291bcd446a54b5337156
-
SHA1
a6185081cae3fbe24702a7e3465d25013b4af83e
-
SHA256
049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623
-
SHA512
14f56b5dd126a90ef0f8ac3544b589c97ec4e05c80079ca41c9a835339ac45196e60e75847ede38ced804940c5c511713020ae9fe0cdd64c23759573396ff8cd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1096 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1428 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exepid process 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exedescription pid process Token: SeIncBasePriorityPrivilege 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.execmd.exedescription pid process target process PID 964 wrote to memory of 1096 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe MediaCenter.exe PID 964 wrote to memory of 1096 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe MediaCenter.exe PID 964 wrote to memory of 1096 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe MediaCenter.exe PID 964 wrote to memory of 1096 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe MediaCenter.exe PID 964 wrote to memory of 1428 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe cmd.exe PID 964 wrote to memory of 1428 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe cmd.exe PID 964 wrote to memory of 1428 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe cmd.exe PID 964 wrote to memory of 1428 964 049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe cmd.exe PID 1428 wrote to memory of 1876 1428 cmd.exe PING.EXE PID 1428 wrote to memory of 1876 1428 cmd.exe PING.EXE PID 1428 wrote to memory of 1876 1428 cmd.exe PING.EXE PID 1428 wrote to memory of 1876 1428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe"C:\Users\Admin\AppData\Local\Temp\049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\049de85728a091b80f7fbd680956c0a17e4ec0d64047fca3683a3cda63f94623.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6f5d9b4b5ffbebed1c59dd976ea6de15
SHA1d9bbd96c28724c989d243ce616055017d8a43baf
SHA2569d5e09548dc6628cf3d33d72e1af1064124b98caa6b3c919f0ac18089a2ceef2
SHA512fbc38ce579bf41e1ecf2be5b19f644d7079d1dfc152df451ba84cef3a11a6a6e65e4b45911f84b97f0cb2a9fde324139a803bcd26a41b3580277e628a0e84e05
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6f5d9b4b5ffbebed1c59dd976ea6de15
SHA1d9bbd96c28724c989d243ce616055017d8a43baf
SHA2569d5e09548dc6628cf3d33d72e1af1064124b98caa6b3c919f0ac18089a2ceef2
SHA512fbc38ce579bf41e1ecf2be5b19f644d7079d1dfc152df451ba84cef3a11a6a6e65e4b45911f84b97f0cb2a9fde324139a803bcd26a41b3580277e628a0e84e05
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6f5d9b4b5ffbebed1c59dd976ea6de15
SHA1d9bbd96c28724c989d243ce616055017d8a43baf
SHA2569d5e09548dc6628cf3d33d72e1af1064124b98caa6b3c919f0ac18089a2ceef2
SHA512fbc38ce579bf41e1ecf2be5b19f644d7079d1dfc152df451ba84cef3a11a6a6e65e4b45911f84b97f0cb2a9fde324139a803bcd26a41b3580277e628a0e84e05
-
memory/964-54-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB