Analysis
-
max time kernel
139s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:23
Static task
static1
Behavioral task
behavioral1
Sample
0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe
Resource
win10v2004-en-20220113
General
-
Target
0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe
-
Size
35KB
-
MD5
2be4d7c01e8e5c491e7f60f928275d8d
-
SHA1
5a1b34cc1410475bef5083895f07c4ff12123bed
-
SHA256
0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c
-
SHA512
73c611606754bab70c2c41c47f7d64a42bf09f75dcfb5447bf6de7d7506c169963542b529e2ea2c770bf69af8bc8f93560d37865ed58550c71c74e82154f6209
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exepid process 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.execmd.exedescription pid process target process PID 1608 wrote to memory of 1588 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe MediaCenter.exe PID 1608 wrote to memory of 1976 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe cmd.exe PID 1608 wrote to memory of 1976 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe cmd.exe PID 1608 wrote to memory of 1976 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe cmd.exe PID 1608 wrote to memory of 1976 1608 0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe cmd.exe PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe"C:\Users\Admin\AppData\Local\Temp\0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0480a905c5cc900ae771361debf5be8353a794f1a444fe0f541301a1b7a0ec6c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b1f429b0c4fbaf6379047d79235b7146
SHA1938b414d1f26101c51b5f736f18202fab8223aa2
SHA25629312dd2fe204e899e316a7de33a41e8ee68ca165b1fcf77a5e193dac3adcfeb
SHA51293999ca3cda50ce1b115241b9f630945df9fb68c3d057bc72c84d9098c23b48a312d3c89dbaf4925ddcd377b8756c295ee8861eb3075797457845204840f4e48
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b1f429b0c4fbaf6379047d79235b7146
SHA1938b414d1f26101c51b5f736f18202fab8223aa2
SHA25629312dd2fe204e899e316a7de33a41e8ee68ca165b1fcf77a5e193dac3adcfeb
SHA51293999ca3cda50ce1b115241b9f630945df9fb68c3d057bc72c84d9098c23b48a312d3c89dbaf4925ddcd377b8756c295ee8861eb3075797457845204840f4e48
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b1f429b0c4fbaf6379047d79235b7146
SHA1938b414d1f26101c51b5f736f18202fab8223aa2
SHA25629312dd2fe204e899e316a7de33a41e8ee68ca165b1fcf77a5e193dac3adcfeb
SHA51293999ca3cda50ce1b115241b9f630945df9fb68c3d057bc72c84d9098c23b48a312d3c89dbaf4925ddcd377b8756c295ee8861eb3075797457845204840f4e48
-
memory/1608-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB