Analysis
-
max time kernel
4294180s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
23-03-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe
Resource
win10v2004-en-20220113
General
-
Target
6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe
-
Size
44KB
-
MD5
bd0c5a300f38dbcd5df55edc20426bd6
-
SHA1
fd8cfb0e3fa32b42ccbffc4c0dd8f1ab94896358
-
SHA256
6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630
-
SHA512
c2d0d1d34a187e72522708de4ada0e3bc38e1d0983d76078af760f6689f58827e355411365d593d63bf027b05714badc2302e40a0345f49254811a096d7f5fe9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 564 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1980 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid Process 1904 cmd.exe 1904 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.execmd.execmd.execmd.exedescription pid Process procid_target PID 968 wrote to memory of 1900 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 27 PID 968 wrote to memory of 1900 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 27 PID 968 wrote to memory of 1900 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 27 PID 968 wrote to memory of 1900 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 27 PID 968 wrote to memory of 1904 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 28 PID 968 wrote to memory of 1904 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 28 PID 968 wrote to memory of 1904 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 28 PID 968 wrote to memory of 1904 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 28 PID 968 wrote to memory of 1980 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 30 PID 968 wrote to memory of 1980 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 30 PID 968 wrote to memory of 1980 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 30 PID 968 wrote to memory of 1980 968 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe 30 PID 1904 wrote to memory of 564 1904 cmd.exe 33 PID 1904 wrote to memory of 564 1904 cmd.exe 33 PID 1904 wrote to memory of 564 1904 cmd.exe 33 PID 1904 wrote to memory of 564 1904 cmd.exe 33 PID 1900 wrote to memory of 1056 1900 cmd.exe 35 PID 1900 wrote to memory of 1056 1900 cmd.exe 35 PID 1900 wrote to memory of 1056 1900 cmd.exe 35 PID 1900 wrote to memory of 1056 1900 cmd.exe 35 PID 1980 wrote to memory of 1488 1980 cmd.exe 34 PID 1980 wrote to memory of 1488 1980 cmd.exe 34 PID 1980 wrote to memory of 1488 1980 cmd.exe 34 PID 1980 wrote to memory of 1488 1980 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:564
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1488
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
778de3633cb2456865de56d5e4cf4271
SHA1e05e3b6b1d9aa630cef3d0d02ab52e952648a716
SHA256cc8d847d921e3997c060e85c9146c1605b90bd4a90d4d2e01d76c719081fc7f4
SHA512b116002ab2176d2787499277e6eb1f0b415f581112479a6368aaf0e6a960f8f6a6da026d5513cb9b9d05a46a095bb3a8ea364256fe99d3d7252ac695aa0c301d
-
MD5
778de3633cb2456865de56d5e4cf4271
SHA1e05e3b6b1d9aa630cef3d0d02ab52e952648a716
SHA256cc8d847d921e3997c060e85c9146c1605b90bd4a90d4d2e01d76c719081fc7f4
SHA512b116002ab2176d2787499277e6eb1f0b415f581112479a6368aaf0e6a960f8f6a6da026d5513cb9b9d05a46a095bb3a8ea364256fe99d3d7252ac695aa0c301d
-
MD5
778de3633cb2456865de56d5e4cf4271
SHA1e05e3b6b1d9aa630cef3d0d02ab52e952648a716
SHA256cc8d847d921e3997c060e85c9146c1605b90bd4a90d4d2e01d76c719081fc7f4
SHA512b116002ab2176d2787499277e6eb1f0b415f581112479a6368aaf0e6a960f8f6a6da026d5513cb9b9d05a46a095bb3a8ea364256fe99d3d7252ac695aa0c301d
-
MD5
778de3633cb2456865de56d5e4cf4271
SHA1e05e3b6b1d9aa630cef3d0d02ab52e952648a716
SHA256cc8d847d921e3997c060e85c9146c1605b90bd4a90d4d2e01d76c719081fc7f4
SHA512b116002ab2176d2787499277e6eb1f0b415f581112479a6368aaf0e6a960f8f6a6da026d5513cb9b9d05a46a095bb3a8ea364256fe99d3d7252ac695aa0c301d