Analysis
-
max time kernel
152s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:34
Static task
static1
Behavioral task
behavioral1
Sample
040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe
Resource
win10v2004-en-20220112
General
-
Target
040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe
-
Size
60KB
-
MD5
118b606dd47079e0a137370ed96e182d
-
SHA1
22770e146365e45b409156e4cd32901d7c6f8444
-
SHA256
040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781
-
SHA512
4ba76ab32f2a143cc699ff80c530697cc4cf258c2b090a5fe7ff5c3ecc83c7ce1e361a10a3937eb1c09886cafa58cac12451fcb5faae9d67395a947492f8c78e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1100 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exepid process 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exedescription pid process Token: SeIncBasePriorityPrivilege 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.execmd.exedescription pid process target process PID 1876 wrote to memory of 1100 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe MediaCenter.exe PID 1876 wrote to memory of 1100 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe MediaCenter.exe PID 1876 wrote to memory of 1100 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe MediaCenter.exe PID 1876 wrote to memory of 1100 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe MediaCenter.exe PID 1876 wrote to memory of 836 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe cmd.exe PID 1876 wrote to memory of 836 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe cmd.exe PID 1876 wrote to memory of 836 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe cmd.exe PID 1876 wrote to memory of 836 1876 040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe cmd.exe PID 836 wrote to memory of 1568 836 cmd.exe PING.EXE PID 836 wrote to memory of 1568 836 cmd.exe PING.EXE PID 836 wrote to memory of 1568 836 cmd.exe PING.EXE PID 836 wrote to memory of 1568 836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe"C:\Users\Admin\AppData\Local\Temp\040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\040e504f41f149e15320f1f456cc012c9d4422d4c2e949582a5240b8bc3a4781.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
94a2fea8c7ec22bbaafd13cce5a702f2
SHA1d50f4c943e679d4a9e38698afb8a85a6317d16a2
SHA2563024360de6435465491bb249fffb0165b3497e7cce096199a06d8197e47c79d3
SHA512515fb5b0e83d54c85d6ad3e0910fc25a3596d6dd97501172f68715ba3cbb7b50b902971a828f4cee7dee7dd59299c540985222a24103722a7641843cfdf9f588
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
94a2fea8c7ec22bbaafd13cce5a702f2
SHA1d50f4c943e679d4a9e38698afb8a85a6317d16a2
SHA2563024360de6435465491bb249fffb0165b3497e7cce096199a06d8197e47c79d3
SHA512515fb5b0e83d54c85d6ad3e0910fc25a3596d6dd97501172f68715ba3cbb7b50b902971a828f4cee7dee7dd59299c540985222a24103722a7641843cfdf9f588
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
94a2fea8c7ec22bbaafd13cce5a702f2
SHA1d50f4c943e679d4a9e38698afb8a85a6317d16a2
SHA2563024360de6435465491bb249fffb0165b3497e7cce096199a06d8197e47c79d3
SHA512515fb5b0e83d54c85d6ad3e0910fc25a3596d6dd97501172f68715ba3cbb7b50b902971a828f4cee7dee7dd59299c540985222a24103722a7641843cfdf9f588
-
memory/1876-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB