Analysis
-
max time kernel
142s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:38
Static task
static1
Behavioral task
behavioral1
Sample
03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe
Resource
win10v2004-en-20220112
General
-
Target
03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe
-
Size
35KB
-
MD5
f115551bdc1aba4a853f7d5670984b80
-
SHA1
cfac089e1122ca7d929393c55d8c75f0839d26ea
-
SHA256
03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7
-
SHA512
5ec930ac8320a152dd9b5d558341ae5abb527c1b999856402e033a358dc190c07f7a610028301a21c0aef15122f2e5a88b59936611d148a613b19807b087fbd5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exepid process 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.execmd.exedescription pid process target process PID 1156 wrote to memory of 592 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe MediaCenter.exe PID 1156 wrote to memory of 436 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe cmd.exe PID 1156 wrote to memory of 436 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe cmd.exe PID 1156 wrote to memory of 436 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe cmd.exe PID 1156 wrote to memory of 436 1156 03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe cmd.exe PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe"C:\Users\Admin\AppData\Local\Temp\03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03e0d5c67d14312fe925782b48e0f387d80e0bf8a389c6516307de0ba923dfc7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6ca7ce6de33fd631ce950bb053654b23
SHA158db4f4ee8235a48f35e194e8047f0613ffdf058
SHA256b3d81daffaebb7f350aa84b42f2ab6007bfbe3e4a5c391867a7b9263df2ea643
SHA512c09febc1f5ea1fb73bd2e33945dd513987211ee958a3a3ce9201a241e89e1f38c90fafc0803f7263fda3a3b1e6dcdb4933b3b666f162e147f75d84ce629ccd94
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6ca7ce6de33fd631ce950bb053654b23
SHA158db4f4ee8235a48f35e194e8047f0613ffdf058
SHA256b3d81daffaebb7f350aa84b42f2ab6007bfbe3e4a5c391867a7b9263df2ea643
SHA512c09febc1f5ea1fb73bd2e33945dd513987211ee958a3a3ce9201a241e89e1f38c90fafc0803f7263fda3a3b1e6dcdb4933b3b666f162e147f75d84ce629ccd94
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6ca7ce6de33fd631ce950bb053654b23
SHA158db4f4ee8235a48f35e194e8047f0613ffdf058
SHA256b3d81daffaebb7f350aa84b42f2ab6007bfbe3e4a5c391867a7b9263df2ea643
SHA512c09febc1f5ea1fb73bd2e33945dd513987211ee958a3a3ce9201a241e89e1f38c90fafc0803f7263fda3a3b1e6dcdb4933b3b666f162e147f75d84ce629ccd94
-
memory/1156-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB