Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe
Resource
win10v2004-en-20220112
General
-
Target
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe
-
Size
58KB
-
MD5
0383b8ff0712767f4c237a78456b8039
-
SHA1
dc56756f60f758947ba35a3fbd2efe1ee839cfb3
-
SHA256
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf
-
SHA512
8f0032bfc88583702b18788ccd91861c6c8ddcde9eaa3bc6caa8c3a8815165105b91c2ed9c624d0c1bd3865f16133a99818fb2b91560012b157ac913a08d8da6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1624 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exepid process 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exedescription pid process Token: SeIncBasePriorityPrivilege 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.execmd.exedescription pid process target process PID 1220 wrote to memory of 1624 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe MediaCenter.exe PID 1220 wrote to memory of 1624 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe MediaCenter.exe PID 1220 wrote to memory of 1624 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe MediaCenter.exe PID 1220 wrote to memory of 1624 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe MediaCenter.exe PID 1220 wrote to memory of 436 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe cmd.exe PID 1220 wrote to memory of 436 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe cmd.exe PID 1220 wrote to memory of 436 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe cmd.exe PID 1220 wrote to memory of 436 1220 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe cmd.exe PID 436 wrote to memory of 1120 436 cmd.exe PING.EXE PID 436 wrote to memory of 1120 436 cmd.exe PING.EXE PID 436 wrote to memory of 1120 436 cmd.exe PING.EXE PID 436 wrote to memory of 1120 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe"C:\Users\Admin\AppData\Local\Temp\0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
335cc070c66b32b04c8aa560537dd3da
SHA1508d7fd35b487bf3d89bc95c906e50921b84b46f
SHA2568c46e5b5e2c42fd42d6cf179ab3dd087b6835cb76b6fb4bbfe59245e500a3e06
SHA512da7735d8d5b7920e2d35eac71eac075bf195e55551e7c895634f23e86181bb9ddffa6d2b03ca242e5e9448336d31ed3a9451b6e28d53b3cc5617843811bfd541
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
335cc070c66b32b04c8aa560537dd3da
SHA1508d7fd35b487bf3d89bc95c906e50921b84b46f
SHA2568c46e5b5e2c42fd42d6cf179ab3dd087b6835cb76b6fb4bbfe59245e500a3e06
SHA512da7735d8d5b7920e2d35eac71eac075bf195e55551e7c895634f23e86181bb9ddffa6d2b03ca242e5e9448336d31ed3a9451b6e28d53b3cc5617843811bfd541
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
335cc070c66b32b04c8aa560537dd3da
SHA1508d7fd35b487bf3d89bc95c906e50921b84b46f
SHA2568c46e5b5e2c42fd42d6cf179ab3dd087b6835cb76b6fb4bbfe59245e500a3e06
SHA512da7735d8d5b7920e2d35eac71eac075bf195e55551e7c895634f23e86181bb9ddffa6d2b03ca242e5e9448336d31ed3a9451b6e28d53b3cc5617843811bfd541
-
memory/1220-53-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB