Analysis
-
max time kernel
196s -
max time network
225s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe
Resource
win10v2004-20220414-en
General
-
Target
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe
-
Size
29KB
-
MD5
f4df5e903d1b9ca375f23500dfa68a76
-
SHA1
cb8e9ff5aa669751303fe6986dd9eb53a99675b8
-
SHA256
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936
-
SHA512
8bd05f5cd39d667277174c3db2e767c4202a15b036d2d464aa130f9751ba74dc69f24188c205f03a7b54bcb0fad1bdddfa1e347795bc350b5992bda88668442c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 2004 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1220 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid Process 1656 cmd.exe 1656 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.execmd.execmd.execmd.exedescription pid Process procid_target PID 1680 wrote to memory of 1224 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 28 PID 1680 wrote to memory of 1224 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 28 PID 1680 wrote to memory of 1224 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 28 PID 1680 wrote to memory of 1224 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 28 PID 1680 wrote to memory of 1656 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 29 PID 1680 wrote to memory of 1656 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 29 PID 1680 wrote to memory of 1656 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 29 PID 1680 wrote to memory of 1656 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 29 PID 1680 wrote to memory of 1220 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 31 PID 1680 wrote to memory of 1220 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 31 PID 1680 wrote to memory of 1220 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 31 PID 1680 wrote to memory of 1220 1680 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 31 PID 1224 wrote to memory of 1420 1224 cmd.exe 33 PID 1224 wrote to memory of 1420 1224 cmd.exe 33 PID 1224 wrote to memory of 1420 1224 cmd.exe 33 PID 1224 wrote to memory of 1420 1224 cmd.exe 33 PID 1656 wrote to memory of 2004 1656 cmd.exe 35 PID 1656 wrote to memory of 2004 1656 cmd.exe 35 PID 1656 wrote to memory of 2004 1656 cmd.exe 35 PID 1656 wrote to memory of 2004 1656 cmd.exe 35 PID 1220 wrote to memory of 1424 1220 cmd.exe 36 PID 1220 wrote to memory of 1424 1220 cmd.exe 36 PID 1220 wrote to memory of 1424 1220 cmd.exe 36 PID 1220 wrote to memory of 1424 1220 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1424
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5da772e0b6f0e03aa3c54893c33449dd1
SHA1bd9470a9e548490bf178a29ea0fba80eb4228a68
SHA25644f71065b95cabfaf7e0dc0ef3dc4b6f5a618b3cef83dd23c6cfc072cc9aeb73
SHA5127b0a4af409e8348aa53226b5ebf544cf4804a5332c6ae822324e4b7836e06b650e1912f245c0be81592e4f4779c1a7a44cbde1a5e4e35de11491a6f3203ffa35
-
Filesize
29KB
MD5da772e0b6f0e03aa3c54893c33449dd1
SHA1bd9470a9e548490bf178a29ea0fba80eb4228a68
SHA25644f71065b95cabfaf7e0dc0ef3dc4b6f5a618b3cef83dd23c6cfc072cc9aeb73
SHA5127b0a4af409e8348aa53226b5ebf544cf4804a5332c6ae822324e4b7836e06b650e1912f245c0be81592e4f4779c1a7a44cbde1a5e4e35de11491a6f3203ffa35
-
Filesize
29KB
MD5da772e0b6f0e03aa3c54893c33449dd1
SHA1bd9470a9e548490bf178a29ea0fba80eb4228a68
SHA25644f71065b95cabfaf7e0dc0ef3dc4b6f5a618b3cef83dd23c6cfc072cc9aeb73
SHA5127b0a4af409e8348aa53226b5ebf544cf4804a5332c6ae822324e4b7836e06b650e1912f245c0be81592e4f4779c1a7a44cbde1a5e4e35de11491a6f3203ffa35
-
Filesize
29KB
MD5da772e0b6f0e03aa3c54893c33449dd1
SHA1bd9470a9e548490bf178a29ea0fba80eb4228a68
SHA25644f71065b95cabfaf7e0dc0ef3dc4b6f5a618b3cef83dd23c6cfc072cc9aeb73
SHA5127b0a4af409e8348aa53226b5ebf544cf4804a5332c6ae822324e4b7836e06b650e1912f245c0be81592e4f4779c1a7a44cbde1a5e4e35de11491a6f3203ffa35