Analysis
-
max time kernel
116s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-09-2022 21:34
Behavioral task
behavioral1
Sample
6c2a5e3bda43426781fbb5693fdf2a96.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6c2a5e3bda43426781fbb5693fdf2a96.exe
Resource
win10v2004-20220812-en
General
-
Target
6c2a5e3bda43426781fbb5693fdf2a96.exe
-
Size
43KB
-
MD5
6c2a5e3bda43426781fbb5693fdf2a96
-
SHA1
32f70a92f99232b52e1f9683d2788c7c90ed5df0
-
SHA256
1b5cce8b8a38d3caef308cb2200f7a3c5439f47936e63e0a9683e5c80f44116b
-
SHA512
416964a6224ad459b8875f45eb19f4750da1cfd63cac2412c36c1918898a9d66a9750453bf2964f4ccbd311e804864f7fe97ed8d3f3ff80e7ce430d7a6953c4d
-
SSDEEP
384:MnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYwwsRhg7+iXXRodY6kLdAeMB:1hSksandb4GgyMsp4hyYtoVxYdT7ZXqJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1168 MediaCenter.exe -
resource yara_rule behavioral1/memory/1388-55-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/1388-59-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/files/0x0008000000015473-61.dat upx behavioral1/files/0x0008000000015473-60.dat upx behavioral1/files/0x0008000000015473-62.dat upx behavioral1/files/0x0008000000015473-64.dat upx behavioral1/memory/2012-66-0x0000000000130000-0x000000000013D000-memory.dmp upx behavioral1/memory/2012-70-0x0000000000130000-0x000000000013D000-memory.dmp upx behavioral1/memory/1168-72-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1164 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2012 cmd.exe 2012 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 912 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 904 PING.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1388 wrote to memory of 792 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 27 PID 1388 wrote to memory of 792 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 27 PID 1388 wrote to memory of 792 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 27 PID 1388 wrote to memory of 792 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 27 PID 1388 wrote to memory of 2012 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 28 PID 1388 wrote to memory of 2012 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 28 PID 1388 wrote to memory of 2012 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 28 PID 1388 wrote to memory of 2012 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 28 PID 1388 wrote to memory of 1164 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 30 PID 1388 wrote to memory of 1164 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 30 PID 1388 wrote to memory of 1164 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 30 PID 1388 wrote to memory of 1164 1388 6c2a5e3bda43426781fbb5693fdf2a96.exe 30 PID 2012 wrote to memory of 1168 2012 cmd.exe 33 PID 2012 wrote to memory of 1168 2012 cmd.exe 33 PID 2012 wrote to memory of 1168 2012 cmd.exe 33 PID 2012 wrote to memory of 1168 2012 cmd.exe 33 PID 792 wrote to memory of 912 792 cmd.exe 34 PID 792 wrote to memory of 912 792 cmd.exe 34 PID 792 wrote to memory of 912 792 cmd.exe 34 PID 792 wrote to memory of 912 792 cmd.exe 34 PID 1164 wrote to memory of 904 1164 cmd.exe 35 PID 1164 wrote to memory of 904 1164 cmd.exe 35 PID 1164 wrote to memory of 904 1164 cmd.exe 35 PID 1164 wrote to memory of 904 1164 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:912
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:904
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD52d5d0cefc576aa916383504e1baba102
SHA197cae77569916e6922d9cf585f335b4b12540191
SHA256abf70cb1775f92e4e7ae7cc9ad7b92a127b4b8a99d8f19c279b47af8a9eb3717
SHA512b62901db93e081279f078e705342d8adf1707bdf0797cd3b9fc2f55aa9b919c42f28e0f37df4af29e60cf717f8fdec800ce1dccfa63355be4b05c0a47b19a350
-
Filesize
43KB
MD52d5d0cefc576aa916383504e1baba102
SHA197cae77569916e6922d9cf585f335b4b12540191
SHA256abf70cb1775f92e4e7ae7cc9ad7b92a127b4b8a99d8f19c279b47af8a9eb3717
SHA512b62901db93e081279f078e705342d8adf1707bdf0797cd3b9fc2f55aa9b919c42f28e0f37df4af29e60cf717f8fdec800ce1dccfa63355be4b05c0a47b19a350
-
Filesize
43KB
MD52d5d0cefc576aa916383504e1baba102
SHA197cae77569916e6922d9cf585f335b4b12540191
SHA256abf70cb1775f92e4e7ae7cc9ad7b92a127b4b8a99d8f19c279b47af8a9eb3717
SHA512b62901db93e081279f078e705342d8adf1707bdf0797cd3b9fc2f55aa9b919c42f28e0f37df4af29e60cf717f8fdec800ce1dccfa63355be4b05c0a47b19a350
-
Filesize
43KB
MD52d5d0cefc576aa916383504e1baba102
SHA197cae77569916e6922d9cf585f335b4b12540191
SHA256abf70cb1775f92e4e7ae7cc9ad7b92a127b4b8a99d8f19c279b47af8a9eb3717
SHA512b62901db93e081279f078e705342d8adf1707bdf0797cd3b9fc2f55aa9b919c42f28e0f37df4af29e60cf717f8fdec800ce1dccfa63355be4b05c0a47b19a350