Analysis
-
max time kernel
122s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:43
Static task
static1
Behavioral task
behavioral1
Sample
0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe
Resource
win10v2004-en-20220113
General
-
Target
0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe
-
Size
60KB
-
MD5
55d905a1bae38a73fed3fa1d74e05745
-
SHA1
bed8af4f81037a09dd397681bbe4ed3c575176ef
-
SHA256
0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0
-
SHA512
67dc5c77be5d8d6ac885bb8731b49268053f239bff1675ce0f54a419dd55b33d7d6d870c33d62525fad72864f00200eb77897cb7c371a72fc279754be4d8fb80
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1924 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 784 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exepid process 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.execmd.exedescription pid process target process PID 1568 wrote to memory of 1924 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe MediaCenter.exe PID 1568 wrote to memory of 784 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe cmd.exe PID 1568 wrote to memory of 784 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe cmd.exe PID 1568 wrote to memory of 784 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe cmd.exe PID 1568 wrote to memory of 784 1568 0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe cmd.exe PID 784 wrote to memory of 972 784 cmd.exe PING.EXE PID 784 wrote to memory of 972 784 cmd.exe PING.EXE PID 784 wrote to memory of 972 784 cmd.exe PING.EXE PID 784 wrote to memory of 972 784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe"C:\Users\Admin\AppData\Local\Temp\0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0398705a49df7085aba44dbb091961c901346bab406b6d6cc686d6906fd1afc0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2e9773fea3ca8b463283251975f3a4ad
SHA1a3eff30ecab71997857e109659b8e3055b0db028
SHA256de636086fc4894a2ed05c19ee4aef5f22223a4e79d1d0b7fa4414bd221d257cc
SHA5121ed415fbf6a84afb03c04de5eb974251af787be0eecfa25eab782e3d7fb84be0a2fa3e816589dae98cedcdd4abfe3c602317133971782d7a035f5d5065663407
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2e9773fea3ca8b463283251975f3a4ad
SHA1a3eff30ecab71997857e109659b8e3055b0db028
SHA256de636086fc4894a2ed05c19ee4aef5f22223a4e79d1d0b7fa4414bd221d257cc
SHA5121ed415fbf6a84afb03c04de5eb974251af787be0eecfa25eab782e3d7fb84be0a2fa3e816589dae98cedcdd4abfe3c602317133971782d7a035f5d5065663407
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2e9773fea3ca8b463283251975f3a4ad
SHA1a3eff30ecab71997857e109659b8e3055b0db028
SHA256de636086fc4894a2ed05c19ee4aef5f22223a4e79d1d0b7fa4414bd221d257cc
SHA5121ed415fbf6a84afb03c04de5eb974251af787be0eecfa25eab782e3d7fb84be0a2fa3e816589dae98cedcdd4abfe3c602317133971782d7a035f5d5065663407
-
memory/1568-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB