Analysis
-
max time kernel
124s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:38
Static task
static1
Behavioral task
behavioral1
Sample
03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe
Resource
win10v2004-en-20220113
General
-
Target
03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe
-
Size
58KB
-
MD5
1a728a8b44e3b94047fc128fe1d54800
-
SHA1
61de11cc7e74c412e2f89f505cb55fa312fd9330
-
SHA256
03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a
-
SHA512
0b3861b70fcc844ca2d7af00b2a67650aa52dd53dc8709d2b9b950221bb69853c2ba7d251d2ad5fb5b860fb8624ba0af3bf429d21f53c359d7cad2602a9062cd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1176 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exepid process 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exedescription pid process Token: SeIncBasePriorityPrivilege 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.execmd.exedescription pid process target process PID 972 wrote to memory of 528 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe MediaCenter.exe PID 972 wrote to memory of 528 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe MediaCenter.exe PID 972 wrote to memory of 528 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe MediaCenter.exe PID 972 wrote to memory of 528 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe MediaCenter.exe PID 972 wrote to memory of 1176 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe cmd.exe PID 972 wrote to memory of 1176 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe cmd.exe PID 972 wrote to memory of 1176 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe cmd.exe PID 972 wrote to memory of 1176 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe cmd.exe PID 1176 wrote to memory of 1560 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1560 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1560 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1560 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe"C:\Users\Admin\AppData\Local\Temp\03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
41bae8271d40bc122941c4fbc1ac0ece
SHA1d45a96580647adfe61da774a336ffb3fad9dbbc4
SHA2564f1aebf4936aeb58e5dcc82154f899188aca428f6cffc2e34f4e849596ed1e3b
SHA5121c6fa7f9674087e02e8a1cb07d9b37bed48dd57f18239a39e6a4a8908f6f0e9d34cdb649c29906fda17d7ed634bfec71421d350873d3277159674f50408e30d9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
41bae8271d40bc122941c4fbc1ac0ece
SHA1d45a96580647adfe61da774a336ffb3fad9dbbc4
SHA2564f1aebf4936aeb58e5dcc82154f899188aca428f6cffc2e34f4e849596ed1e3b
SHA5121c6fa7f9674087e02e8a1cb07d9b37bed48dd57f18239a39e6a4a8908f6f0e9d34cdb649c29906fda17d7ed634bfec71421d350873d3277159674f50408e30d9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
41bae8271d40bc122941c4fbc1ac0ece
SHA1d45a96580647adfe61da774a336ffb3fad9dbbc4
SHA2564f1aebf4936aeb58e5dcc82154f899188aca428f6cffc2e34f4e849596ed1e3b
SHA5121c6fa7f9674087e02e8a1cb07d9b37bed48dd57f18239a39e6a4a8908f6f0e9d34cdb649c29906fda17d7ed634bfec71421d350873d3277159674f50408e30d9
-
memory/972-55-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB