Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:53
Static task
static1
Behavioral task
behavioral1
Sample
000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe
Resource
win10v2004-en-20220113
General
-
Target
000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe
-
Size
36KB
-
MD5
74360304c260b9ae92e50f992d5f453b
-
SHA1
e4c2a387cd282fad09abc46094b90d52516de09b
-
SHA256
000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37
-
SHA512
fa309d6917f4b62a554e56afa15f163f841c1b9911f4ef8ea2f4c4dab884e4b56327b2632686c5ea1b71d6def2f0e94c4a158ed0e1387f82aaba133ff3b8797d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1292 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 308 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exepid process 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exedescription pid process Token: SeIncBasePriorityPrivilege 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.execmd.exedescription pid process target process PID 1448 wrote to memory of 1292 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe MediaCenter.exe PID 1448 wrote to memory of 308 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe cmd.exe PID 1448 wrote to memory of 308 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe cmd.exe PID 1448 wrote to memory of 308 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe cmd.exe PID 1448 wrote to memory of 308 1448 000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe cmd.exe PID 308 wrote to memory of 1100 308 cmd.exe PING.EXE PID 308 wrote to memory of 1100 308 cmd.exe PING.EXE PID 308 wrote to memory of 1100 308 cmd.exe PING.EXE PID 308 wrote to memory of 1100 308 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe"C:\Users\Admin\AppData\Local\Temp\000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\000e744a91c2dc186a70090cb2617873085d6002adc6ce46ad9caf3172623e37.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
77679cc758fa21752faf53c3ba465557
SHA1479e63a891e789f1e57c9e8918fbc53b0ea71784
SHA2561529edc7ba750410ed0453e338368174e70e9e985aa037b3b94cb7efa9344015
SHA512ccb9572327fb0b28a7605861d3050b067dbbe69fefa08d122f7562cfb75e06579f619f34f65e3d04486c4dbc7869d07266581e263e446363d7d0174b6deaa57f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
77679cc758fa21752faf53c3ba465557
SHA1479e63a891e789f1e57c9e8918fbc53b0ea71784
SHA2561529edc7ba750410ed0453e338368174e70e9e985aa037b3b94cb7efa9344015
SHA512ccb9572327fb0b28a7605861d3050b067dbbe69fefa08d122f7562cfb75e06579f619f34f65e3d04486c4dbc7869d07266581e263e446363d7d0174b6deaa57f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
77679cc758fa21752faf53c3ba465557
SHA1479e63a891e789f1e57c9e8918fbc53b0ea71784
SHA2561529edc7ba750410ed0453e338368174e70e9e985aa037b3b94cb7efa9344015
SHA512ccb9572327fb0b28a7605861d3050b067dbbe69fefa08d122f7562cfb75e06579f619f34f65e3d04486c4dbc7869d07266581e263e446363d7d0174b6deaa57f
-
memory/1448-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB