Analysis
-
max time kernel
151s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe
Resource
win10v2004-en-20220113
General
-
Target
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe
-
Size
58KB
-
MD5
2f93b7cfacbf63f22cd16068713d2d4a
-
SHA1
39a6fea52817db08d95745704f2b2df716dbb30a
-
SHA256
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49
-
SHA512
e3f599c87cf9ac5fd57e9bfb52f33f57bfda35807a3b90f8e59d2bdc38affd496f05ff15671c7b7f882a16b4e2a91733033bf5d860918da14c85abd83b139a5f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 380 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exepid process 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exedescription pid process Token: SeIncBasePriorityPrivilege 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.execmd.exedescription pid process target process PID 1056 wrote to memory of 1652 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe MediaCenter.exe PID 1056 wrote to memory of 1652 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe MediaCenter.exe PID 1056 wrote to memory of 1652 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe MediaCenter.exe PID 1056 wrote to memory of 1652 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe MediaCenter.exe PID 1056 wrote to memory of 380 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe cmd.exe PID 1056 wrote to memory of 380 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe cmd.exe PID 1056 wrote to memory of 380 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe cmd.exe PID 1056 wrote to memory of 380 1056 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe cmd.exe PID 380 wrote to memory of 1952 380 cmd.exe PING.EXE PID 380 wrote to memory of 1952 380 cmd.exe PING.EXE PID 380 wrote to memory of 1952 380 cmd.exe PING.EXE PID 380 wrote to memory of 1952 380 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe"C:\Users\Admin\AppData\Local\Temp\0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af419e9db0b7602979d7a35764f5d2a3
SHA1560bd6288702bb3f7c4c74f8dca4c57a7fc73083
SHA25683a2d019a6a0d091d7b8931be99096bf14dcb20bef9a9b0ee91e4813a7d0bff2
SHA5127ecb439df7cff763e45f2b4dafcfeaeb049e3762dc0cdbc49496d9a2a02feb6e5afa5a3141b1c0e44f0be69d1e1813eabf3480db7e025a0b3b61ec291dc65df0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af419e9db0b7602979d7a35764f5d2a3
SHA1560bd6288702bb3f7c4c74f8dca4c57a7fc73083
SHA25683a2d019a6a0d091d7b8931be99096bf14dcb20bef9a9b0ee91e4813a7d0bff2
SHA5127ecb439df7cff763e45f2b4dafcfeaeb049e3762dc0cdbc49496d9a2a02feb6e5afa5a3141b1c0e44f0be69d1e1813eabf3480db7e025a0b3b61ec291dc65df0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af419e9db0b7602979d7a35764f5d2a3
SHA1560bd6288702bb3f7c4c74f8dca4c57a7fc73083
SHA25683a2d019a6a0d091d7b8931be99096bf14dcb20bef9a9b0ee91e4813a7d0bff2
SHA5127ecb439df7cff763e45f2b4dafcfeaeb049e3762dc0cdbc49496d9a2a02feb6e5afa5a3141b1c0e44f0be69d1e1813eabf3480db7e025a0b3b61ec291dc65df0
-
memory/1056-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmpFilesize
8KB