Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:09
Static task
static1
Behavioral task
behavioral1
Sample
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe
Resource
win10v2004-en-20220113
General
-
Target
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe
-
Size
58KB
-
MD5
f83736426c098b434998d717bb2ff9a1
-
SHA1
e71e33ffdc1887c3c4bf658d0fe5792b82dcda9c
-
SHA256
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc
-
SHA512
9e1ffdb1b9bc1a09b82c2c265c0b2c538ad0c3687922a93dedb4f278384e60e4bf0641b18b61226006ee3aaa21098741515598998187abd1651897709342c816
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exepid process 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exedescription pid process Token: SeIncBasePriorityPrivilege 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.execmd.exedescription pid process target process PID 1700 wrote to memory of 1552 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe MediaCenter.exe PID 1700 wrote to memory of 1528 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe cmd.exe PID 1700 wrote to memory of 1528 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe cmd.exe PID 1700 wrote to memory of 1528 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe cmd.exe PID 1700 wrote to memory of 1528 1700 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe cmd.exe PID 1528 wrote to memory of 816 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 816 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 816 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 816 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe"C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5c066ce913254f3d40eb12f4143026fe
SHA16874fa688a8e53ddc5c4a4773d96d4cac632267c
SHA256f36b289aea6283bcd1f6b6ed5504b9d8526d8f2477b366fdd410d31ef13037e2
SHA512f829ba2953913f04acb282894419225c92eba78f06e31d0092a753bf8f1355ecb185211070fc1db85a7b7208a363b893a2dbbb05ed5a0682754e1e293eb72eed
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5c066ce913254f3d40eb12f4143026fe
SHA16874fa688a8e53ddc5c4a4773d96d4cac632267c
SHA256f36b289aea6283bcd1f6b6ed5504b9d8526d8f2477b366fdd410d31ef13037e2
SHA512f829ba2953913f04acb282894419225c92eba78f06e31d0092a753bf8f1355ecb185211070fc1db85a7b7208a363b893a2dbbb05ed5a0682754e1e293eb72eed
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5c066ce913254f3d40eb12f4143026fe
SHA16874fa688a8e53ddc5c4a4773d96d4cac632267c
SHA256f36b289aea6283bcd1f6b6ed5504b9d8526d8f2477b366fdd410d31ef13037e2
SHA512f829ba2953913f04acb282894419225c92eba78f06e31d0092a753bf8f1355ecb185211070fc1db85a7b7208a363b893a2dbbb05ed5a0682754e1e293eb72eed
-
memory/1700-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB