Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:08
Static task
static1
Behavioral task
behavioral1
Sample
026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe
Resource
win10v2004-en-20220112
General
-
Target
026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe
-
Size
60KB
-
MD5
707a1d509d63fdc4a0d35b277d0b1418
-
SHA1
253275d5b24cf38acd8ed9df9989901d01854286
-
SHA256
026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e
-
SHA512
fedbbdab37cd3990fca35f87306e3d1e6a17c81badb2e4514396aa7dd8182f2fe5c9d3155ad09288e953228dcad49adf0d9c0b971b0988ca3a05812da8488523
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 468 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1340 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exepid process 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exedescription pid process Token: SeIncBasePriorityPrivilege 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.execmd.exedescription pid process target process PID 1744 wrote to memory of 468 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe MediaCenter.exe PID 1744 wrote to memory of 468 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe MediaCenter.exe PID 1744 wrote to memory of 468 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe MediaCenter.exe PID 1744 wrote to memory of 468 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe MediaCenter.exe PID 1744 wrote to memory of 1340 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe cmd.exe PID 1744 wrote to memory of 1340 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe cmd.exe PID 1744 wrote to memory of 1340 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe cmd.exe PID 1744 wrote to memory of 1340 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe cmd.exe PID 1340 wrote to memory of 1512 1340 cmd.exe PING.EXE PID 1340 wrote to memory of 1512 1340 cmd.exe PING.EXE PID 1340 wrote to memory of 1512 1340 cmd.exe PING.EXE PID 1340 wrote to memory of 1512 1340 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe"C:\Users\Admin\AppData\Local\Temp\026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d4c28f713839c5184d8aa9ba7b4c4b43
SHA16bcb1db1a3cfa84d6a7fcac8fe167bf35366c036
SHA256d67d3e8439d8af4fbd41e4a008df0d2c9f22fc7627623205550c484e2f2756c1
SHA5121ad485d264f30247e3135d657f316c6b883371f528282845b6de0c29e4c451945f1842e77d7104e8cbb9e95638836b8619d881e5296f719ac3f9668dcb12c8f1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d4c28f713839c5184d8aa9ba7b4c4b43
SHA16bcb1db1a3cfa84d6a7fcac8fe167bf35366c036
SHA256d67d3e8439d8af4fbd41e4a008df0d2c9f22fc7627623205550c484e2f2756c1
SHA5121ad485d264f30247e3135d657f316c6b883371f528282845b6de0c29e4c451945f1842e77d7104e8cbb9e95638836b8619d881e5296f719ac3f9668dcb12c8f1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d4c28f713839c5184d8aa9ba7b4c4b43
SHA16bcb1db1a3cfa84d6a7fcac8fe167bf35366c036
SHA256d67d3e8439d8af4fbd41e4a008df0d2c9f22fc7627623205550c484e2f2756c1
SHA5121ad485d264f30247e3135d657f316c6b883371f528282845b6de0c29e4c451945f1842e77d7104e8cbb9e95638836b8619d881e5296f719ac3f9668dcb12c8f1
-
memory/1744-55-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB