Analysis
-
max time kernel
118s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:17
Static task
static1
Behavioral task
behavioral1
Sample
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe
Resource
win10v2004-en-20220113
General
-
Target
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe
-
Size
36KB
-
MD5
08817fc7b360a66e5365bf1bbbf6cc6b
-
SHA1
31b79a0f148e4742b7cfadd81b54d0e3619b857d
-
SHA256
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e
-
SHA512
0a8c8beceb88ba590789f92ec3d33892e2a10841adb06c85782a3c2fb6be295f3a54e4e8172af721811a2dab001dbf7a3a924e3c42f2c2aacb9f152177027409
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1912 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1316 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exepid process 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exedescription pid process Token: SeIncBasePriorityPrivilege 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.execmd.exedescription pid process target process PID 1788 wrote to memory of 1912 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe MediaCenter.exe PID 1788 wrote to memory of 1912 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe MediaCenter.exe PID 1788 wrote to memory of 1912 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe MediaCenter.exe PID 1788 wrote to memory of 1912 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe MediaCenter.exe PID 1788 wrote to memory of 1316 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe cmd.exe PID 1788 wrote to memory of 1316 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe cmd.exe PID 1788 wrote to memory of 1316 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe cmd.exe PID 1788 wrote to memory of 1316 1788 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe cmd.exe PID 1316 wrote to memory of 1220 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1220 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1220 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1220 1316 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe"C:\Users\Admin\AppData\Local\Temp\0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd365b6ca0da03dafad4d6b18f199bcc
SHA11e2b7b7ec6695653fc1eed4e95b06f5497ee070b
SHA2560cc0b74262a0f521e46996631bef182f91570eeadc012e8892753c8ddae33c22
SHA512212039cb972e1cf98d0b41e24c99d9c49c535eb8e821386be41f03d4899eb83d9b31f5d1890fa7a794d4624fc2766956b3fa0a3fc7947c59f4eaab84d9279df1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd365b6ca0da03dafad4d6b18f199bcc
SHA11e2b7b7ec6695653fc1eed4e95b06f5497ee070b
SHA2560cc0b74262a0f521e46996631bef182f91570eeadc012e8892753c8ddae33c22
SHA512212039cb972e1cf98d0b41e24c99d9c49c535eb8e821386be41f03d4899eb83d9b31f5d1890fa7a794d4624fc2766956b3fa0a3fc7947c59f4eaab84d9279df1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd365b6ca0da03dafad4d6b18f199bcc
SHA11e2b7b7ec6695653fc1eed4e95b06f5497ee070b
SHA2560cc0b74262a0f521e46996631bef182f91570eeadc012e8892753c8ddae33c22
SHA512212039cb972e1cf98d0b41e24c99d9c49c535eb8e821386be41f03d4899eb83d9b31f5d1890fa7a794d4624fc2766956b3fa0a3fc7947c59f4eaab84d9279df1
-
memory/1788-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB