Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:09
Static task
static1
Behavioral task
behavioral1
Sample
0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe
Resource
win10v2004-en-20220112
General
-
Target
0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe
-
Size
36KB
-
MD5
7b03d9ad9afd0a6c1531ca94b02f3e0c
-
SHA1
6a2eb8f2634b2faf535da753eef5a98299a280c3
-
SHA256
0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed
-
SHA512
480516e71f696c3b4486dc70bc60e68ed7a4dedc07db7bdb00cb9bc04b44a45837df1ca3ed2befaed9277c07830837aa05ae4d340394ce28d245aa2717b7a17d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1640 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exepid process 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.execmd.exedescription pid process target process PID 1088 wrote to memory of 1892 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe MediaCenter.exe PID 1088 wrote to memory of 1892 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe MediaCenter.exe PID 1088 wrote to memory of 1892 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe MediaCenter.exe PID 1088 wrote to memory of 1892 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe MediaCenter.exe PID 1088 wrote to memory of 1640 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe cmd.exe PID 1088 wrote to memory of 1640 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe cmd.exe PID 1088 wrote to memory of 1640 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe cmd.exe PID 1088 wrote to memory of 1640 1088 0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe cmd.exe PID 1640 wrote to memory of 1648 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1648 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1648 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1648 1640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe"C:\Users\Admin\AppData\Local\Temp\0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ad4b7e78808280dfb7d173930e1cd072714fbac1c0db7628bf028be570a23ed.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b86e05b4908dbb15886b18d1720e54c
SHA15400536da38674ca90a61528d245b5f95d80266a
SHA256ba2b143c06ba0e8b350c9275df188e964ad01b150bd3ea42f15189fe5e8693ca
SHA512dd915aeafc3a17acea3397444dae99c89765767d0af2057d159fa833af1e37cf3eec05f0ad8725a4f7786e97078451bd66042599e4574f9a77ac612471692b00
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b86e05b4908dbb15886b18d1720e54c
SHA15400536da38674ca90a61528d245b5f95d80266a
SHA256ba2b143c06ba0e8b350c9275df188e964ad01b150bd3ea42f15189fe5e8693ca
SHA512dd915aeafc3a17acea3397444dae99c89765767d0af2057d159fa833af1e37cf3eec05f0ad8725a4f7786e97078451bd66042599e4574f9a77ac612471692b00
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b86e05b4908dbb15886b18d1720e54c
SHA15400536da38674ca90a61528d245b5f95d80266a
SHA256ba2b143c06ba0e8b350c9275df188e964ad01b150bd3ea42f15189fe5e8693ca
SHA512dd915aeafc3a17acea3397444dae99c89765767d0af2057d159fa833af1e37cf3eec05f0ad8725a4f7786e97078451bd66042599e4574f9a77ac612471692b00
-
memory/1088-53-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB