Analysis
-
max time kernel
157s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:33
Static task
static1
Behavioral task
behavioral1
Sample
041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe
Resource
win10v2004-en-20220113
General
-
Target
041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe
-
Size
36KB
-
MD5
537341dce163bac218c42188acc7eabf
-
SHA1
74a9ca405acc2475e92e0e24ed3086e445d9d24b
-
SHA256
041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944
-
SHA512
a4c4efbc4000674dbb026fb87c3db7d8f1d221437068582f37c845466707bcf9700a9bf78ce510bcce9ae972836428f09aaa4f2432370417681021aecfa007dc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 300 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exepid process 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.execmd.exedescription pid process target process PID 1624 wrote to memory of 628 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe MediaCenter.exe PID 1624 wrote to memory of 300 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe cmd.exe PID 1624 wrote to memory of 300 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe cmd.exe PID 1624 wrote to memory of 300 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe cmd.exe PID 1624 wrote to memory of 300 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe cmd.exe PID 300 wrote to memory of 828 300 cmd.exe PING.EXE PID 300 wrote to memory of 828 300 cmd.exe PING.EXE PID 300 wrote to memory of 828 300 cmd.exe PING.EXE PID 300 wrote to memory of 828 300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe"C:\Users\Admin\AppData\Local\Temp\041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6f3089b2ac9bb74142e32de7e81f9da8
SHA1514f774e238abf73d0cba51860f0ca9dfaed0d14
SHA2567da2b5849bc89f19c01738dc15cc1e4d9c2cfb197ea2e1464f4c8b162f8ce66a
SHA51253a8e789377b7a529563d927b7265567dcb3d3d3663a02ff20999c1c559cd3dfa4f0c51b722e490824e1e330328559ccb1e121551d7476f424b1d5c32dbb8a60
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6f3089b2ac9bb74142e32de7e81f9da8
SHA1514f774e238abf73d0cba51860f0ca9dfaed0d14
SHA2567da2b5849bc89f19c01738dc15cc1e4d9c2cfb197ea2e1464f4c8b162f8ce66a
SHA51253a8e789377b7a529563d927b7265567dcb3d3d3663a02ff20999c1c559cd3dfa4f0c51b722e490824e1e330328559ccb1e121551d7476f424b1d5c32dbb8a60
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6f3089b2ac9bb74142e32de7e81f9da8
SHA1514f774e238abf73d0cba51860f0ca9dfaed0d14
SHA2567da2b5849bc89f19c01738dc15cc1e4d9c2cfb197ea2e1464f4c8b162f8ce66a
SHA51253a8e789377b7a529563d927b7265567dcb3d3d3663a02ff20999c1c559cd3dfa4f0c51b722e490824e1e330328559ccb1e121551d7476f424b1d5c32dbb8a60
-
memory/1624-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB