Analysis
-
max time kernel
131s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe
Resource
win10v2004-en-20220113
General
-
Target
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe
-
Size
58KB
-
MD5
46f85d5d90fef1f1cb61f09c21cb1114
-
SHA1
b250af1a1048abd46b97b255c7c492223e8b42fe
-
SHA256
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a
-
SHA512
92a23641d45519281ee92f1fa4c972e4bc2354de6c3eb31b6e50b60106ad8ceb06990f57a6112109f85b80ef3539795c2efa3acb0ea3e4640df9b31a0a8fdaa1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1500 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 364 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exepid process 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exedescription pid process Token: SeIncBasePriorityPrivilege 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.execmd.exedescription pid process target process PID 1192 wrote to memory of 1500 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe MediaCenter.exe PID 1192 wrote to memory of 1500 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe MediaCenter.exe PID 1192 wrote to memory of 1500 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe MediaCenter.exe PID 1192 wrote to memory of 1500 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe MediaCenter.exe PID 1192 wrote to memory of 364 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe cmd.exe PID 1192 wrote to memory of 364 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe cmd.exe PID 1192 wrote to memory of 364 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe cmd.exe PID 1192 wrote to memory of 364 1192 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe cmd.exe PID 364 wrote to memory of 752 364 cmd.exe PING.EXE PID 364 wrote to memory of 752 364 cmd.exe PING.EXE PID 364 wrote to memory of 752 364 cmd.exe PING.EXE PID 364 wrote to memory of 752 364 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe"C:\Users\Admin\AppData\Local\Temp\0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c9dadc45613695610a41b2ae4703db4d
SHA1f80023b412f35bbc119cbdaeedc4eac379edbfc4
SHA256d1733a685a718b9380da380c136528144fd5de8bc47b9a2e4e2243bb0387ff80
SHA512b1a34dee9ccb92a3d0aed4fa7fd004a0817dc0fe1b1015633f27695f988b7523c6760daeb3c8afe5655eb00529c9e05feed533a29c5e14d704b6b105fc7d9ae3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c9dadc45613695610a41b2ae4703db4d
SHA1f80023b412f35bbc119cbdaeedc4eac379edbfc4
SHA256d1733a685a718b9380da380c136528144fd5de8bc47b9a2e4e2243bb0387ff80
SHA512b1a34dee9ccb92a3d0aed4fa7fd004a0817dc0fe1b1015633f27695f988b7523c6760daeb3c8afe5655eb00529c9e05feed533a29c5e14d704b6b105fc7d9ae3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c9dadc45613695610a41b2ae4703db4d
SHA1f80023b412f35bbc119cbdaeedc4eac379edbfc4
SHA256d1733a685a718b9380da380c136528144fd5de8bc47b9a2e4e2243bb0387ff80
SHA512b1a34dee9ccb92a3d0aed4fa7fd004a0817dc0fe1b1015633f27695f988b7523c6760daeb3c8afe5655eb00529c9e05feed533a29c5e14d704b6b105fc7d9ae3
-
memory/1192-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB