Analysis
-
max time kernel
118s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:30
Static task
static1
Behavioral task
behavioral1
Sample
0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe
Resource
win10v2004-en-20220113
General
-
Target
0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe
-
Size
36KB
-
MD5
df5e61ebcc07a243702efe6260c7b881
-
SHA1
78f7a059e79d4fee43a6edd301ad93cd8586200a
-
SHA256
0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf
-
SHA512
26dcbc6ff5c6e8e0d0e62c9e7b6c1c9585a2d958567a48f851e4f28139d5892df9b892a9c9a2225d6a390c8f42311f623b96240559bad196fc3a6b65e1db9237
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1180 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1316 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exepid process 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exedescription pid process Token: SeIncBasePriorityPrivilege 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.execmd.exedescription pid process target process PID 800 wrote to memory of 1180 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe MediaCenter.exe PID 800 wrote to memory of 1316 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe cmd.exe PID 800 wrote to memory of 1316 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe cmd.exe PID 800 wrote to memory of 1316 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe cmd.exe PID 800 wrote to memory of 1316 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe cmd.exe PID 1316 wrote to memory of 1220 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1220 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1220 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1220 1316 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe"C:\Users\Admin\AppData\Local\Temp\0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f71ed89031fb98fa92575ba54653d5c
SHA1c2131e57804f77859a9e66599e7d2f287d40af64
SHA2568bae5cdd71fd63fc54c1e28d5f5fc15daae826cb7584bdd71a3495ab51d54243
SHA512c2658044584dbec681d3697d5834a1a323cee5bf24bfd3af164fb99d3396c580bf97f9b01fa5d8f389a9fde272003a7078b35b8a4241078e2182565f5e02cdc2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f71ed89031fb98fa92575ba54653d5c
SHA1c2131e57804f77859a9e66599e7d2f287d40af64
SHA2568bae5cdd71fd63fc54c1e28d5f5fc15daae826cb7584bdd71a3495ab51d54243
SHA512c2658044584dbec681d3697d5834a1a323cee5bf24bfd3af164fb99d3396c580bf97f9b01fa5d8f389a9fde272003a7078b35b8a4241078e2182565f5e02cdc2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f71ed89031fb98fa92575ba54653d5c
SHA1c2131e57804f77859a9e66599e7d2f287d40af64
SHA2568bae5cdd71fd63fc54c1e28d5f5fc15daae826cb7584bdd71a3495ab51d54243
SHA512c2658044584dbec681d3697d5834a1a323cee5bf24bfd3af164fb99d3396c580bf97f9b01fa5d8f389a9fde272003a7078b35b8a4241078e2182565f5e02cdc2
-
memory/800-0-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB