Analysis
-
max time kernel
159s -
max time network
188s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:22
Static task
static1
Behavioral task
behavioral1
Sample
01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe
Resource
win10v2004-en-20220112
General
-
Target
01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe
-
Size
36KB
-
MD5
f679d84f8389164695b6a0501d9baa9c
-
SHA1
5a3197717723180b0e31a5760469627a8a0d79b5
-
SHA256
01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da
-
SHA512
3d135b1e0c998a071b7605b159b169b48e35bfb4e71a707c08a331498547376afa3f4d8794e1736ebfd58d61f3a401b90fe7b7a9262a254a3b3d19de89aa12a4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 1448 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 460 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1224 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 27 PID 1900 wrote to memory of 1224 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 27 PID 1900 wrote to memory of 1224 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 27 PID 1900 wrote to memory of 1224 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 27 PID 1900 wrote to memory of 1448 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 32 PID 1900 wrote to memory of 1448 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 32 PID 1900 wrote to memory of 1448 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 32 PID 1900 wrote to memory of 1448 1900 01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe 32 PID 1448 wrote to memory of 460 1448 cmd.exe 34 PID 1448 wrote to memory of 460 1448 cmd.exe 34 PID 1448 wrote to memory of 460 1448 cmd.exe 34 PID 1448 wrote to memory of 460 1448 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe"C:\Users\Admin\AppData\Local\Temp\01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\01bfd1995a54348928ff631702f8f15a94f0a642b3507f1c27b591e658dcb2da.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:460
-
-