Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
26-03-2022 06:46
Static task
static1
Behavioral task
behavioral1
Sample
2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe
Resource
win10v2004-en-20220113
General
-
Target
2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe
-
Size
47KB
-
MD5
0f755d96fb0b6e2f08fa88ce109da39e
-
SHA1
e39e88fa90e7f5dc0913efc1962789a152c0a911
-
SHA256
2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d
-
SHA512
1a5eaf9378308bb6f2a7fe9199cb63f8453e6d08950c10c0ddff22e325a771337f171f598302a71be13564be9ac5a3d31ddfdd61c3164cde9e484d13392e2d77
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 676 MediaCenter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.execmd.execmd.execmd.exedescription pid Process procid_target PID 4424 wrote to memory of 3772 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 79 PID 4424 wrote to memory of 3772 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 79 PID 4424 wrote to memory of 3772 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 79 PID 4424 wrote to memory of 3744 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 80 PID 4424 wrote to memory of 3744 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 80 PID 4424 wrote to memory of 3744 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 80 PID 4424 wrote to memory of 4180 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 83 PID 4424 wrote to memory of 4180 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 83 PID 4424 wrote to memory of 4180 4424 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe 83 PID 3772 wrote to memory of 3424 3772 cmd.exe 86 PID 3772 wrote to memory of 3424 3772 cmd.exe 86 PID 3772 wrote to memory of 3424 3772 cmd.exe 86 PID 4180 wrote to memory of 800 4180 cmd.exe 85 PID 4180 wrote to memory of 800 4180 cmd.exe 85 PID 4180 wrote to memory of 800 4180 cmd.exe 85 PID 3744 wrote to memory of 676 3744 cmd.exe 87 PID 3744 wrote to memory of 676 3744 cmd.exe 87 PID 3744 wrote to memory of 676 3744 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:3424
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:676
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:800
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
586a8ab77ce47ffc3446f82dc066b730
SHA1ec4034b0fe19255b8bee2f6b481b17c5c0f1c4b6
SHA256c34277f9968ba2d7aa0829f83a53fd3f4bfdd2a0269f5e2bc0f2dd52bbaf6a5c
SHA512016d8053d817e1f35ca41e11733288b6e7101e20f7d6168076a615bdce04d566702b8c36bffbe689c8b63df404a84456881070fe53036933a9b9184532ec0a90
-
MD5
586a8ab77ce47ffc3446f82dc066b730
SHA1ec4034b0fe19255b8bee2f6b481b17c5c0f1c4b6
SHA256c34277f9968ba2d7aa0829f83a53fd3f4bfdd2a0269f5e2bc0f2dd52bbaf6a5c
SHA512016d8053d817e1f35ca41e11733288b6e7101e20f7d6168076a615bdce04d566702b8c36bffbe689c8b63df404a84456881070fe53036933a9b9184532ec0a90