Analysis
-
max time kernel
119s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:14
Static task
static1
Behavioral task
behavioral1
Sample
0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe
Resource
win10v2004-en-20220112
General
-
Target
0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe
-
Size
60KB
-
MD5
0c004ece992c29a7cd95813f1b262f86
-
SHA1
80b47c3167333db588e04900e92d8a677d177fde
-
SHA256
0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0
-
SHA512
4bbdf9614b92f270bf9d27eb4cb6505707aaef7800dec47a92469d6494997f321b82ca9c18c3577a953c537c5bbfecb36c47495870ed01e3b42fc56505467a38
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1724 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1460 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exepid process 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.execmd.exedescription pid process target process PID 1212 wrote to memory of 1724 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe MediaCenter.exe PID 1212 wrote to memory of 1724 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe MediaCenter.exe PID 1212 wrote to memory of 1724 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe MediaCenter.exe PID 1212 wrote to memory of 1724 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe MediaCenter.exe PID 1212 wrote to memory of 1460 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe cmd.exe PID 1212 wrote to memory of 1460 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe cmd.exe PID 1212 wrote to memory of 1460 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe cmd.exe PID 1212 wrote to memory of 1460 1212 0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe cmd.exe PID 1460 wrote to memory of 1080 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1080 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1080 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1080 1460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe"C:\Users\Admin\AppData\Local\Temp\0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aacb1e36ef11fb6e652c83bee25d0716385a356aa7d4e86a209e818fecac1e0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a1aeb16712a64b426756bf44e6f00e9e
SHA1f8198d9f60fee05f92ab306daf8aecdb2e62494a
SHA2565c1bb0a721035d8967b86a8db978e3a9ad2dafd1ad81a7a7c28676564a2f5f36
SHA5126d8a5b776754d16bb3f65b5f762d78db59723562aa38406bd1b4ef192c9acce350d52aad5a3a1d363eb8a6b811c4102bd10dff8b237b7c1773da06b28d33fc56
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a1aeb16712a64b426756bf44e6f00e9e
SHA1f8198d9f60fee05f92ab306daf8aecdb2e62494a
SHA2565c1bb0a721035d8967b86a8db978e3a9ad2dafd1ad81a7a7c28676564a2f5f36
SHA5126d8a5b776754d16bb3f65b5f762d78db59723562aa38406bd1b4ef192c9acce350d52aad5a3a1d363eb8a6b811c4102bd10dff8b237b7c1773da06b28d33fc56
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a1aeb16712a64b426756bf44e6f00e9e
SHA1f8198d9f60fee05f92ab306daf8aecdb2e62494a
SHA2565c1bb0a721035d8967b86a8db978e3a9ad2dafd1ad81a7a7c28676564a2f5f36
SHA5126d8a5b776754d16bb3f65b5f762d78db59723562aa38406bd1b4ef192c9acce350d52aad5a3a1d363eb8a6b811c4102bd10dff8b237b7c1773da06b28d33fc56
-
memory/1212-54-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB