Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe
Resource
win10v2004-en-20220112
General
-
Target
0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe
-
Size
36KB
-
MD5
2f10a10bf45d5fee3a06552108a2bb27
-
SHA1
f40241e24e32a54127e2e21892dec873d009dfd4
-
SHA256
0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947
-
SHA512
048b8c6a0d0a90909ae7e97c749d41509ac49132eaa4126a2d48be0dcc66ba99119dc323f2bbaf1853ccd40a90c240c2c76eed8e7385cf4e54662f9be1b72c87
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1480 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1204 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exepid process 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.execmd.exedescription pid process target process PID 1592 wrote to memory of 1480 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe MediaCenter.exe PID 1592 wrote to memory of 1480 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe MediaCenter.exe PID 1592 wrote to memory of 1480 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe MediaCenter.exe PID 1592 wrote to memory of 1480 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe MediaCenter.exe PID 1592 wrote to memory of 1204 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe cmd.exe PID 1592 wrote to memory of 1204 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe cmd.exe PID 1592 wrote to memory of 1204 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe cmd.exe PID 1592 wrote to memory of 1204 1592 0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe cmd.exe PID 1204 wrote to memory of 1928 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1928 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1928 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1928 1204 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe"C:\Users\Admin\AppData\Local\Temp\0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a73891bdc4d9f25fb9d8aa27aef0ed474a5fbac2b435dc12ed7792d8bbe5947.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
962f90a21017d4dc713771c601afe38b
SHA1834f6786a6fce80b4c3245739235dbad6fe5ecc7
SHA25614adc1c98e8cb73c14771351d9b8cceda923af2ed63d1885c4ea2783fcffaf27
SHA512377db6084069e90011637f1722642d1463e5c088274c8b6b2e8e0c2989f1b1597e831ba60d36246674078e634d1503c455ec7c3878a613a71b3384ea2193244c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
962f90a21017d4dc713771c601afe38b
SHA1834f6786a6fce80b4c3245739235dbad6fe5ecc7
SHA25614adc1c98e8cb73c14771351d9b8cceda923af2ed63d1885c4ea2783fcffaf27
SHA512377db6084069e90011637f1722642d1463e5c088274c8b6b2e8e0c2989f1b1597e831ba60d36246674078e634d1503c455ec7c3878a613a71b3384ea2193244c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
962f90a21017d4dc713771c601afe38b
SHA1834f6786a6fce80b4c3245739235dbad6fe5ecc7
SHA25614adc1c98e8cb73c14771351d9b8cceda923af2ed63d1885c4ea2783fcffaf27
SHA512377db6084069e90011637f1722642d1463e5c088274c8b6b2e8e0c2989f1b1597e831ba60d36246674078e634d1503c455ec7c3878a613a71b3384ea2193244c
-
memory/1592-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB