Analysis
-
max time kernel
122s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe
Resource
win10v2004-en-20220112
General
-
Target
0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe
-
Size
35KB
-
MD5
a379f535ff71e6f1c933873565c795a8
-
SHA1
5364ce112f61d89f73b7dfac89e052e87a2444ea
-
SHA256
0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196
-
SHA512
72423ba9f939a3f840e2f16660ace0ceb855394d7c1e1e28eb307f186c8dcdcf88a67e5563fd5b59d3d3de0aba73f4cea07eeff18c4802309c896f601a1bdb43
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 928 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exepid process 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exedescription pid process Token: SeIncBasePriorityPrivilege 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.execmd.exedescription pid process target process PID 1768 wrote to memory of 948 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe MediaCenter.exe PID 1768 wrote to memory of 928 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe cmd.exe PID 1768 wrote to memory of 928 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe cmd.exe PID 1768 wrote to memory of 928 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe cmd.exe PID 1768 wrote to memory of 928 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe cmd.exe PID 928 wrote to memory of 1696 928 cmd.exe PING.EXE PID 928 wrote to memory of 1696 928 cmd.exe PING.EXE PID 928 wrote to memory of 1696 928 cmd.exe PING.EXE PID 928 wrote to memory of 1696 928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe"C:\Users\Admin\AppData\Local\Temp\0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af43df41b7e859abcaab8ba10c1df00a
SHA1f8525ea48b94ba20d5ab4d861eb5a7f4baf1c920
SHA256646021cc29e1cd1a850c393470154475cce4e9a37e3e01a742672d948c4cb502
SHA512f04e30a05937d74b7d5ef7e780a837ab683d38d3650055210b94dcb21a3bd520a055ca29f4c70fa0d7f980eb3a5ecc5b162199c50a8d1e278e6ec070678bbf28
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af43df41b7e859abcaab8ba10c1df00a
SHA1f8525ea48b94ba20d5ab4d861eb5a7f4baf1c920
SHA256646021cc29e1cd1a850c393470154475cce4e9a37e3e01a742672d948c4cb502
SHA512f04e30a05937d74b7d5ef7e780a837ab683d38d3650055210b94dcb21a3bd520a055ca29f4c70fa0d7f980eb3a5ecc5b162199c50a8d1e278e6ec070678bbf28
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
af43df41b7e859abcaab8ba10c1df00a
SHA1f8525ea48b94ba20d5ab4d861eb5a7f4baf1c920
SHA256646021cc29e1cd1a850c393470154475cce4e9a37e3e01a742672d948c4cb502
SHA512f04e30a05937d74b7d5ef7e780a837ab683d38d3650055210b94dcb21a3bd520a055ca29f4c70fa0d7f980eb3a5ecc5b162199c50a8d1e278e6ec070678bbf28
-
memory/1768-55-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB