Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe
Resource
win10v2004-en-20220113
General
-
Target
0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe
-
Size
58KB
-
MD5
edc24ad69b4fee13ff45be5a022b38d8
-
SHA1
17a310545e6f64b40be51164a0b26c15c2722097
-
SHA256
0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9
-
SHA512
a1fe9693c0a57ede50353955bac81e5293ac69813331b458cfd63cb914372ae16a035ef7e8a477121a93035be11a0dcfe7c38c5dbc8a795bb3ca898fb63a26bb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exepid process 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exedescription pid process Token: SeIncBasePriorityPrivilege 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.execmd.exedescription pid process target process PID 1548 wrote to memory of 1608 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe MediaCenter.exe PID 1548 wrote to memory of 1532 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe cmd.exe PID 1548 wrote to memory of 1532 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe cmd.exe PID 1548 wrote to memory of 1532 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe cmd.exe PID 1548 wrote to memory of 1532 1548 0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe cmd.exe PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe"C:\Users\Admin\AppData\Local\Temp\0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ab2f248e22ae8e36138a5d26e0b11f9f484c6adc262a7998d9e5e78608d8ee9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dc8102cd96707e25fb81c5ac5df5f8c6
SHA10bc091817633680f969f50549656eb07141b9fb4
SHA256cf26dc01976358f0cd7cfa5368139519eaa925722fe5ad27a7f389b359cab738
SHA51231c480d26eb3e7698c78bb456ce415d56f295d6132b1ad9b36437597c53e7437a4edf826f435b5b80c921f42eb729ced48316641d0bdd42cecd1d0d7c432f2c8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dc8102cd96707e25fb81c5ac5df5f8c6
SHA10bc091817633680f969f50549656eb07141b9fb4
SHA256cf26dc01976358f0cd7cfa5368139519eaa925722fe5ad27a7f389b359cab738
SHA51231c480d26eb3e7698c78bb456ce415d56f295d6132b1ad9b36437597c53e7437a4edf826f435b5b80c921f42eb729ced48316641d0bdd42cecd1d0d7c432f2c8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dc8102cd96707e25fb81c5ac5df5f8c6
SHA10bc091817633680f969f50549656eb07141b9fb4
SHA256cf26dc01976358f0cd7cfa5368139519eaa925722fe5ad27a7f389b359cab738
SHA51231c480d26eb3e7698c78bb456ce415d56f295d6132b1ad9b36437597c53e7437a4edf826f435b5b80c921f42eb729ced48316641d0bdd42cecd1d0d7c432f2c8
-
memory/1548-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB