Analysis
-
max time kernel
137s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:37
Static task
static1
Behavioral task
behavioral1
Sample
03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe
Resource
win10v2004-en-20220113
General
-
Target
03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe
-
Size
58KB
-
MD5
cc4e6e83790abdaf8d27d0bb5c1720cc
-
SHA1
2caf5ed6f820e10e6b8e87d2cadea1aef80df5ce
-
SHA256
03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05
-
SHA512
422137660d4a1dede3bdb0ed9c3047fe0ec471cfd7ca3ba1871d25573bfb84c948a373a019af463024c8983c9131291f4d62de64b291d9f7d7b026e06166dc63
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1648 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exepid process 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exedescription pid process Token: SeIncBasePriorityPrivilege 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.execmd.exedescription pid process target process PID 1620 wrote to memory of 1884 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe MediaCenter.exe PID 1620 wrote to memory of 1648 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe cmd.exe PID 1620 wrote to memory of 1648 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe cmd.exe PID 1620 wrote to memory of 1648 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe cmd.exe PID 1620 wrote to memory of 1648 1620 03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe cmd.exe PID 1648 wrote to memory of 1128 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1128 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1128 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1128 1648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe"C:\Users\Admin\AppData\Local\Temp\03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03ec08129eae64b0bfe97e932885e677a78ec9ead7359624c184310adca91d05.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ae5eac7bc0876d67eff4c88d8ff7251f
SHA19d6e58d22b99db9cb4b94425765a3e623c6b146f
SHA256da8e31cd38a0e0311f54250ba4bc2ac49b6a6228a6377abe075ee6b5ed97bf30
SHA51203a85204f08ff5f67bf3efd93dcb9a70daf0f6a3350f787a93c3638baa4e334317c4885a98320b43b1249924abe58b5de4840738a7c6db67ed177b1e5dcfb0fa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ae5eac7bc0876d67eff4c88d8ff7251f
SHA19d6e58d22b99db9cb4b94425765a3e623c6b146f
SHA256da8e31cd38a0e0311f54250ba4bc2ac49b6a6228a6377abe075ee6b5ed97bf30
SHA51203a85204f08ff5f67bf3efd93dcb9a70daf0f6a3350f787a93c3638baa4e334317c4885a98320b43b1249924abe58b5de4840738a7c6db67ed177b1e5dcfb0fa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ae5eac7bc0876d67eff4c88d8ff7251f
SHA19d6e58d22b99db9cb4b94425765a3e623c6b146f
SHA256da8e31cd38a0e0311f54250ba4bc2ac49b6a6228a6377abe075ee6b5ed97bf30
SHA51203a85204f08ff5f67bf3efd93dcb9a70daf0f6a3350f787a93c3638baa4e334317c4885a98320b43b1249924abe58b5de4840738a7c6db67ed177b1e5dcfb0fa
-
memory/1620-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB