Analysis
-
max time kernel
146s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:28
Static task
static1
Behavioral task
behavioral1
Sample
044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe
Resource
win10v2004-en-20220113
General
-
Target
044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe
-
Size
60KB
-
MD5
9b5bec464e67b77726e7a9dc85f09c1e
-
SHA1
e2d5251a27a30f59f3e157a24198192fa1d9f74f
-
SHA256
044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db
-
SHA512
302723ebcfae01f0ffdf8d9bb6462b9bf979c4b39e9c229dea6b0eebdd97930b37be34e0b19b611f3e98e141f02a8c1b4be1ce29c23955ad5379a732c4d58c29
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1344 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1140 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exepid process 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.execmd.exedescription pid process target process PID 1632 wrote to memory of 1344 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe MediaCenter.exe PID 1632 wrote to memory of 1140 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe cmd.exe PID 1632 wrote to memory of 1140 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe cmd.exe PID 1632 wrote to memory of 1140 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe cmd.exe PID 1632 wrote to memory of 1140 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe cmd.exe PID 1140 wrote to memory of 1264 1140 cmd.exe PING.EXE PID 1140 wrote to memory of 1264 1140 cmd.exe PING.EXE PID 1140 wrote to memory of 1264 1140 cmd.exe PING.EXE PID 1140 wrote to memory of 1264 1140 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe"C:\Users\Admin\AppData\Local\Temp\044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26c1ab085802ee2e9c5b6f564281b13a
SHA13a2dafd0d3e4cb8cda39b56988fa4c52d62981fc
SHA256394e99165d07b2973cbcaa1f811c23b6dcd48b66b5f6c2457bdb78571e1dea24
SHA512fa2548a09773c84dea05c01fddd8411aff17937f12d4a46f97d7af43657a33e85da59f8bd0f899ae7a2d150b5aa416794d667288e289029fe9d0b62a67bf86bd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26c1ab085802ee2e9c5b6f564281b13a
SHA13a2dafd0d3e4cb8cda39b56988fa4c52d62981fc
SHA256394e99165d07b2973cbcaa1f811c23b6dcd48b66b5f6c2457bdb78571e1dea24
SHA512fa2548a09773c84dea05c01fddd8411aff17937f12d4a46f97d7af43657a33e85da59f8bd0f899ae7a2d150b5aa416794d667288e289029fe9d0b62a67bf86bd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26c1ab085802ee2e9c5b6f564281b13a
SHA13a2dafd0d3e4cb8cda39b56988fa4c52d62981fc
SHA256394e99165d07b2973cbcaa1f811c23b6dcd48b66b5f6c2457bdb78571e1dea24
SHA512fa2548a09773c84dea05c01fddd8411aff17937f12d4a46f97d7af43657a33e85da59f8bd0f899ae7a2d150b5aa416794d667288e289029fe9d0b62a67bf86bd
-
memory/1632-55-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB