Analysis
-
max time kernel
151s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:36
Static task
static1
Behavioral task
behavioral1
Sample
03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe
Resource
win10v2004-en-20220113
General
-
Target
03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe
-
Size
60KB
-
MD5
2cce45ad65b5f61380ab0e440c7d8f29
-
SHA1
531bc8d2eb1f777568e4f569f5b4d7c740539923
-
SHA256
03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994
-
SHA512
b8e81b97963aff73ac6d4bc93cab844fc5080b45328ebd13b73e482bf534501af34188262531cb37e9426cdd5cb67a73cb9b14e967f7a8814b52b38ea44b9eb3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exepid process 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exedescription pid process Token: SeIncBasePriorityPrivilege 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.execmd.exedescription pid process target process PID 1700 wrote to memory of 1552 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe MediaCenter.exe PID 1700 wrote to memory of 1072 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe cmd.exe PID 1700 wrote to memory of 1072 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe cmd.exe PID 1700 wrote to memory of 1072 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe cmd.exe PID 1700 wrote to memory of 1072 1700 03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe cmd.exe PID 1072 wrote to memory of 1124 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1124 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1124 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1124 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe"C:\Users\Admin\AppData\Local\Temp\03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03f692d732224638328f19ae39e25851d276abfcf47c66ba5f612230ef77c994.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af5d2b04fb58243b6b0b7a8be602661d
SHA186c0ca9e7b2c9ddc4194a173e467e09d3bdff421
SHA25600a0c07a6b7d69decac3d72c6d732fd1558bd633457a3b6930bd7d84728b0ca0
SHA51229683cbe903f3157eb3fb2ec1c99f6d3d98e888259f9baee1d0351fa953341372dfb106d4fdf6992ba7b078579b030b8636b9ba00881fad40501bdb317eaef1b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af5d2b04fb58243b6b0b7a8be602661d
SHA186c0ca9e7b2c9ddc4194a173e467e09d3bdff421
SHA25600a0c07a6b7d69decac3d72c6d732fd1558bd633457a3b6930bd7d84728b0ca0
SHA51229683cbe903f3157eb3fb2ec1c99f6d3d98e888259f9baee1d0351fa953341372dfb106d4fdf6992ba7b078579b030b8636b9ba00881fad40501bdb317eaef1b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af5d2b04fb58243b6b0b7a8be602661d
SHA186c0ca9e7b2c9ddc4194a173e467e09d3bdff421
SHA25600a0c07a6b7d69decac3d72c6d732fd1558bd633457a3b6930bd7d84728b0ca0
SHA51229683cbe903f3157eb3fb2ec1c99f6d3d98e888259f9baee1d0351fa953341372dfb106d4fdf6992ba7b078579b030b8636b9ba00881fad40501bdb317eaef1b
-
memory/1700-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB