Analysis
-
max time kernel
152s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2022 21:34
Behavioral task
behavioral1
Sample
6c2a5e3bda43426781fbb5693fdf2a96.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6c2a5e3bda43426781fbb5693fdf2a96.exe
Resource
win10v2004-20220812-en
General
-
Target
6c2a5e3bda43426781fbb5693fdf2a96.exe
-
Size
43KB
-
MD5
6c2a5e3bda43426781fbb5693fdf2a96
-
SHA1
32f70a92f99232b52e1f9683d2788c7c90ed5df0
-
SHA256
1b5cce8b8a38d3caef308cb2200f7a3c5439f47936e63e0a9683e5c80f44116b
-
SHA512
416964a6224ad459b8875f45eb19f4750da1cfd63cac2412c36c1918898a9d66a9750453bf2964f4ccbd311e804864f7fe97ed8d3f3ff80e7ce430d7a6953c4d
-
SSDEEP
384:MnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYwwsRhg7+iXXRodY6kLdAeMB:1hSksandb4GgyMsp4hyYtoVxYdT7ZXqJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3736 MediaCenter.exe -
resource yara_rule behavioral2/memory/4436-132-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/memory/4436-133-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/memory/4436-137-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/files/0x0006000000022e50-142.dat upx behavioral2/files/0x0006000000022e50-141.dat upx behavioral2/memory/3736-143-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/memory/3736-144-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3832 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3756 PING.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4436 wrote to memory of 3820 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 81 PID 4436 wrote to memory of 3820 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 81 PID 4436 wrote to memory of 3820 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 81 PID 4436 wrote to memory of 4820 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 82 PID 4436 wrote to memory of 4820 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 82 PID 4436 wrote to memory of 4820 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 82 PID 4436 wrote to memory of 4888 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 85 PID 4436 wrote to memory of 4888 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 85 PID 4436 wrote to memory of 4888 4436 6c2a5e3bda43426781fbb5693fdf2a96.exe 85 PID 3820 wrote to memory of 3832 3820 cmd.exe 87 PID 3820 wrote to memory of 3832 3820 cmd.exe 87 PID 3820 wrote to memory of 3832 3820 cmd.exe 87 PID 4888 wrote to memory of 3756 4888 cmd.exe 88 PID 4888 wrote to memory of 3756 4888 cmd.exe 88 PID 4888 wrote to memory of 3756 4888 cmd.exe 88 PID 4820 wrote to memory of 3736 4820 cmd.exe 89 PID 4820 wrote to memory of 3736 4820 cmd.exe 89 PID 4820 wrote to memory of 3736 4820 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:3832
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:3736
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6c2a5e3bda43426781fbb5693fdf2a96.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5d63f2fb5bf9e17b1e90e5a0ab7a70c35
SHA13b492f68875936a2f5a6a92403b80881f272b232
SHA256edaf0a4d4f71d633b53d6bd6f5091ad6a7a88258c650772033b3832cea368e93
SHA512fb37e0b2167352d1f7679797228c6402e8b254184c7d6a2c2e277b33a4cac2fc5fe39bfc72d52c1e3f4ec574f528f810f7b876785575ff61398d1f679cbd8263
-
Filesize
43KB
MD5d63f2fb5bf9e17b1e90e5a0ab7a70c35
SHA13b492f68875936a2f5a6a92403b80881f272b232
SHA256edaf0a4d4f71d633b53d6bd6f5091ad6a7a88258c650772033b3832cea368e93
SHA512fb37e0b2167352d1f7679797228c6402e8b254184c7d6a2c2e277b33a4cac2fc5fe39bfc72d52c1e3f4ec574f528f810f7b876785575ff61398d1f679cbd8263