Analysis
-
max time kernel
142s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:33
Static task
static1
Behavioral task
behavioral1
Sample
041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe
Resource
win10v2004-en-20220113
General
-
Target
041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe
-
Size
35KB
-
MD5
aad2b1a60206bb90a7262fff47b30106
-
SHA1
638947ec305652d71c194ad073a0895bfff7fc88
-
SHA256
041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222
-
SHA512
29425bad4075fdf27a7f253430d4aa9063e03e696451ae1827db339be7507a6450c4b3d1bc5ccda8e876161b589fbd52628cb093ce32dcedcf0e95a092798abb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1052 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exepid process 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exedescription pid process Token: SeIncBasePriorityPrivilege 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.execmd.exedescription pid process target process PID 808 wrote to memory of 1052 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe MediaCenter.exe PID 808 wrote to memory of 828 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe cmd.exe PID 808 wrote to memory of 828 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe cmd.exe PID 808 wrote to memory of 828 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe cmd.exe PID 808 wrote to memory of 828 808 041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe cmd.exe PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe"C:\Users\Admin\AppData\Local\Temp\041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\041bd36d8ab576d3d92a49eba9c7698bd2b22140876a575df82ec349abcb1222.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
175403d2f4008f09c48e737559c9b8c9
SHA185e5b4392fd25ec12b9901ea4b30394084fb814a
SHA2564e14ce8f8494d774fc56b50a496985955a25f31d5a7bc919cc82ecd5ad4035ad
SHA51272697ca7191010925d80453f303d0dd08ab7fdbf6c342476509f7809fa4f95b0a5baa8fbc07655d6ce972348c534a6af97e048f37bb86cbb3ec1ce5f076846d0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
175403d2f4008f09c48e737559c9b8c9
SHA185e5b4392fd25ec12b9901ea4b30394084fb814a
SHA2564e14ce8f8494d774fc56b50a496985955a25f31d5a7bc919cc82ecd5ad4035ad
SHA51272697ca7191010925d80453f303d0dd08ab7fdbf6c342476509f7809fa4f95b0a5baa8fbc07655d6ce972348c534a6af97e048f37bb86cbb3ec1ce5f076846d0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
175403d2f4008f09c48e737559c9b8c9
SHA185e5b4392fd25ec12b9901ea4b30394084fb814a
SHA2564e14ce8f8494d774fc56b50a496985955a25f31d5a7bc919cc82ecd5ad4035ad
SHA51272697ca7191010925d80453f303d0dd08ab7fdbf6c342476509f7809fa4f95b0a5baa8fbc07655d6ce972348c534a6af97e048f37bb86cbb3ec1ce5f076846d0
-
memory/808-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB