Analysis
-
max time kernel
117s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:07
Static task
static1
Behavioral task
behavioral1
Sample
02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe
Resource
win10v2004-en-20220112
General
-
Target
02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe
-
Size
60KB
-
MD5
1eee7dbb88a4923a82c9d665706c0b3f
-
SHA1
106ea1ce7aac00dc30711f076d543d812b2eca8c
-
SHA256
02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45
-
SHA512
736cc9005bed7f7e47fd237cd77283248de5b89c9d73efeb0baee35714cc548299838416ea0bb56ee227910b8549109ac1dc520e745f949fbae6e8d25de9db24
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1616 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exepid process 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exedescription pid process Token: SeIncBasePriorityPrivilege 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.execmd.exedescription pid process target process PID 880 wrote to memory of 1612 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe MediaCenter.exe PID 880 wrote to memory of 1616 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe cmd.exe PID 880 wrote to memory of 1616 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe cmd.exe PID 880 wrote to memory of 1616 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe cmd.exe PID 880 wrote to memory of 1616 880 02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe cmd.exe PID 1616 wrote to memory of 1648 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 1648 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 1648 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 1648 1616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe"C:\Users\Admin\AppData\Local\Temp\02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02741c5abfddab92146b369abec39a00f743474da72b97d11a7557167ce6bd45.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ee360f499b2d66f16ebd87d17e3e0b82
SHA13eea6ab9051562840d0045351f08eda30aec470d
SHA256986e194a95e7dd833461198ae7e5697e312ddf0b512b792c5ee8db3b940c646c
SHA5121867ce5f9168fee7939dc3d4d7063a2d56e9d617f79cbe4e34f5e1e9677ce024cb5db30b3b12f6651d7adacd22b6aff41f512902015f87ff67e4f54f149f47dc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ee360f499b2d66f16ebd87d17e3e0b82
SHA13eea6ab9051562840d0045351f08eda30aec470d
SHA256986e194a95e7dd833461198ae7e5697e312ddf0b512b792c5ee8db3b940c646c
SHA5121867ce5f9168fee7939dc3d4d7063a2d56e9d617f79cbe4e34f5e1e9677ce024cb5db30b3b12f6651d7adacd22b6aff41f512902015f87ff67e4f54f149f47dc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ee360f499b2d66f16ebd87d17e3e0b82
SHA13eea6ab9051562840d0045351f08eda30aec470d
SHA256986e194a95e7dd833461198ae7e5697e312ddf0b512b792c5ee8db3b940c646c
SHA5121867ce5f9168fee7939dc3d4d7063a2d56e9d617f79cbe4e34f5e1e9677ce024cb5db30b3b12f6651d7adacd22b6aff41f512902015f87ff67e4f54f149f47dc
-
memory/880-55-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB