Analysis
-
max time kernel
122s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:31
Static task
static1
Behavioral task
behavioral1
Sample
0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe
Resource
win10v2004-en-20220112
General
-
Target
0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe
-
Size
60KB
-
MD5
96de5d7d87207a6d3b8af0fd693a90c3
-
SHA1
314b9b35a92d4e23eeda7d03b74bd62526f44370
-
SHA256
0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5
-
SHA512
24d8bc31f38015f15a5f28e54030bc80c3217ac101ba331ca733196984071e6b91bf27c37af48ab24ae037afc8232eb3ff1a10a5d400680df7702825530136e0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 640 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exepid process 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.execmd.exedescription pid process target process PID 1156 wrote to memory of 592 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe MediaCenter.exe PID 1156 wrote to memory of 640 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe cmd.exe PID 1156 wrote to memory of 640 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe cmd.exe PID 1156 wrote to memory of 640 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe cmd.exe PID 1156 wrote to memory of 640 1156 0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe cmd.exe PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe"C:\Users\Admin\AppData\Local\Temp\0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7fec84b7583e354f19964ff28e77a4c6
SHA19deb8be598a6fce96c69bfeb20f9c4d0ac135258
SHA256fb04c9afb3465f80a7eb8e3d1f673d264ef9312f109b9dbf9301b70fa7a02da6
SHA512ed6e46a3f0203cd798ac74c662d1f0e95bec74445ded2c43b1c98a2bc4e4f9a6eb045899971e8a46580f3e4abdd71f56edc595271bfcbad035c75604d7cb6e16
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7fec84b7583e354f19964ff28e77a4c6
SHA19deb8be598a6fce96c69bfeb20f9c4d0ac135258
SHA256fb04c9afb3465f80a7eb8e3d1f673d264ef9312f109b9dbf9301b70fa7a02da6
SHA512ed6e46a3f0203cd798ac74c662d1f0e95bec74445ded2c43b1c98a2bc4e4f9a6eb045899971e8a46580f3e4abdd71f56edc595271bfcbad035c75604d7cb6e16
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7fec84b7583e354f19964ff28e77a4c6
SHA19deb8be598a6fce96c69bfeb20f9c4d0ac135258
SHA256fb04c9afb3465f80a7eb8e3d1f673d264ef9312f109b9dbf9301b70fa7a02da6
SHA512ed6e46a3f0203cd798ac74c662d1f0e95bec74445ded2c43b1c98a2bc4e4f9a6eb045899971e8a46580f3e4abdd71f56edc595271bfcbad035c75604d7cb6e16
-
memory/1156-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB