Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:22
Static task
static1
Behavioral task
behavioral1
Sample
048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe
Resource
win10v2004-en-20220112
General
-
Target
048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe
-
Size
35KB
-
MD5
81b21f113552a90b9ccef8fed2b7c561
-
SHA1
e6c083be31b50c3481efeb7a185188597322616b
-
SHA256
048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5
-
SHA512
66ea90602d23ccb3cacf822e1c634b455806006e962e65938b6adb941086af02814b907ce3d40c6be7cce5a4402d4fd715ac68c6c5969f71b4e32c25cda76c54
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1368 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exepid process 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exedescription pid process Token: SeIncBasePriorityPrivilege 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.execmd.exedescription pid process target process PID 840 wrote to memory of 1368 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe MediaCenter.exe PID 840 wrote to memory of 1368 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe MediaCenter.exe PID 840 wrote to memory of 1368 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe MediaCenter.exe PID 840 wrote to memory of 1368 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe MediaCenter.exe PID 840 wrote to memory of 436 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe cmd.exe PID 840 wrote to memory of 436 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe cmd.exe PID 840 wrote to memory of 436 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe cmd.exe PID 840 wrote to memory of 436 840 048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe cmd.exe PID 436 wrote to memory of 1216 436 cmd.exe PING.EXE PID 436 wrote to memory of 1216 436 cmd.exe PING.EXE PID 436 wrote to memory of 1216 436 cmd.exe PING.EXE PID 436 wrote to memory of 1216 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe"C:\Users\Admin\AppData\Local\Temp\048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\048ef37796b921efeb9e32d72691016bab7d86f9cea5ddd3f9a622b9a53867c5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f965467adf6a799d21b3391b596a2944
SHA1e761542fe8283db2073649bedb4b27a31e878af1
SHA256aa264afb586dfdb44804dca72cd1591fd1d891898de489315912c6ff1fa7e708
SHA512816e9e38d984ed14517e435963f17bdf2bf181ebd252eac909941725bf8183360df6490700a9edc8c6969c53c331874c36847e15326fd9cdfd2fe9727b230dba
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f965467adf6a799d21b3391b596a2944
SHA1e761542fe8283db2073649bedb4b27a31e878af1
SHA256aa264afb586dfdb44804dca72cd1591fd1d891898de489315912c6ff1fa7e708
SHA512816e9e38d984ed14517e435963f17bdf2bf181ebd252eac909941725bf8183360df6490700a9edc8c6969c53c331874c36847e15326fd9cdfd2fe9727b230dba
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f965467adf6a799d21b3391b596a2944
SHA1e761542fe8283db2073649bedb4b27a31e878af1
SHA256aa264afb586dfdb44804dca72cd1591fd1d891898de489315912c6ff1fa7e708
SHA512816e9e38d984ed14517e435963f17bdf2bf181ebd252eac909941725bf8183360df6490700a9edc8c6969c53c331874c36847e15326fd9cdfd2fe9727b230dba
-
memory/840-55-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB