Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe
Resource
win10v2004-en-20220113
General
-
Target
0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe
-
Size
36KB
-
MD5
a5741272451f7e09c64014b0b364049c
-
SHA1
56b2b8529318cc1cf7d71db33df47fc04b44f056
-
SHA256
0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2
-
SHA512
53c6a625793285b4eb577f30f4be9d716ab7bf3dd22a1d7c0940c7e5c212a8bc130cea2a42e22fd16ada688a037d0bbb80fd9187c8580a4060d379c04b81f874
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1172 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 764 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exepid process 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exedescription pid process Token: SeIncBasePriorityPrivilege 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.execmd.exedescription pid process target process PID 1904 wrote to memory of 1172 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe MediaCenter.exe PID 1904 wrote to memory of 1172 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe MediaCenter.exe PID 1904 wrote to memory of 1172 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe MediaCenter.exe PID 1904 wrote to memory of 1172 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe MediaCenter.exe PID 1904 wrote to memory of 764 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe cmd.exe PID 1904 wrote to memory of 764 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe cmd.exe PID 1904 wrote to memory of 764 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe cmd.exe PID 1904 wrote to memory of 764 1904 0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe cmd.exe PID 764 wrote to memory of 1060 764 cmd.exe PING.EXE PID 764 wrote to memory of 1060 764 cmd.exe PING.EXE PID 764 wrote to memory of 1060 764 cmd.exe PING.EXE PID 764 wrote to memory of 1060 764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe"C:\Users\Admin\AppData\Local\Temp\0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a7d63b9121288bf8a2803055b3d185458696a2981f5e0ec7b3a2a3762cb7ac2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e044177961e489b26c7ea91ffcc4108e
SHA1cf226be152a5194eb003d7a00981c9c4a3b6075a
SHA25684eca3a8ea7b5cbeb239ede9fec9eeaaa046c701c04c6b2271e8bc9470fcd456
SHA51270be429dd240a1f347bd59337fd3643e21a3a040da9398c58819b014674a4163bbcff5482ceb0bb3b7bad31f95a4e661e782e1da48e6f5c573f73f1e92b0ab53
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e044177961e489b26c7ea91ffcc4108e
SHA1cf226be152a5194eb003d7a00981c9c4a3b6075a
SHA25684eca3a8ea7b5cbeb239ede9fec9eeaaa046c701c04c6b2271e8bc9470fcd456
SHA51270be429dd240a1f347bd59337fd3643e21a3a040da9398c58819b014674a4163bbcff5482ceb0bb3b7bad31f95a4e661e782e1da48e6f5c573f73f1e92b0ab53
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e044177961e489b26c7ea91ffcc4108e
SHA1cf226be152a5194eb003d7a00981c9c4a3b6075a
SHA25684eca3a8ea7b5cbeb239ede9fec9eeaaa046c701c04c6b2271e8bc9470fcd456
SHA51270be429dd240a1f347bd59337fd3643e21a3a040da9398c58819b014674a4163bbcff5482ceb0bb3b7bad31f95a4e661e782e1da48e6f5c573f73f1e92b0ab53
-
memory/1904-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB