Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe
Resource
win10v2004-en-20220112
General
-
Target
0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe
-
Size
36KB
-
MD5
f617b6a2b397829bdae411e5113a828e
-
SHA1
0aad6ceeec994a868d0fc7d9213c8886f3f764c7
-
SHA256
0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f
-
SHA512
dddb2b58be1f11e92d0270d77b7b7e1e22fc6119aa0d16241c512b1d55b8c2bdb8e2a66c7261cb076783799ebd6ae73e4821b3038f9b95efb69e44ee97d12d48
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 616 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exepid process 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.execmd.exedescription pid process target process PID 1568 wrote to memory of 1588 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe MediaCenter.exe PID 1568 wrote to memory of 616 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe cmd.exe PID 1568 wrote to memory of 616 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe cmd.exe PID 1568 wrote to memory of 616 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe cmd.exe PID 1568 wrote to memory of 616 1568 0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe cmd.exe PID 616 wrote to memory of 880 616 cmd.exe PING.EXE PID 616 wrote to memory of 880 616 cmd.exe PING.EXE PID 616 wrote to memory of 880 616 cmd.exe PING.EXE PID 616 wrote to memory of 880 616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe"C:\Users\Admin\AppData\Local\Temp\0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aff03dae48df1c2b1b18eaa102f30b7dcd94bebe824912ec71f6ef1b9af281f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9c6ba6a0d776161dfecab9c0a630dad8
SHA1eade82a8e764dcf73e2b70932f89e4975ef59012
SHA256009a457c2f117a8dc6f7f00f657bab098623fa6138c2faa66d7413351f3e7656
SHA5128136ff957ce35c76e2a3fb06e2815cf4b2d853a19a61ed46de4c6a0a44c878259749f7b6df37accac1c8a02948373d5147fbfe32348125bc2a57bd7d4ca9ed04
-
MD5
9c6ba6a0d776161dfecab9c0a630dad8
SHA1eade82a8e764dcf73e2b70932f89e4975ef59012
SHA256009a457c2f117a8dc6f7f00f657bab098623fa6138c2faa66d7413351f3e7656
SHA5128136ff957ce35c76e2a3fb06e2815cf4b2d853a19a61ed46de4c6a0a44c878259749f7b6df37accac1c8a02948373d5147fbfe32348125bc2a57bd7d4ca9ed04
-
MD5
9c6ba6a0d776161dfecab9c0a630dad8
SHA1eade82a8e764dcf73e2b70932f89e4975ef59012
SHA256009a457c2f117a8dc6f7f00f657bab098623fa6138c2faa66d7413351f3e7656
SHA5128136ff957ce35c76e2a3fb06e2815cf4b2d853a19a61ed46de4c6a0a44c878259749f7b6df37accac1c8a02948373d5147fbfe32348125bc2a57bd7d4ca9ed04