Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:32
Static task
static1
Behavioral task
behavioral1
Sample
0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe
Resource
win10v2004-en-20220113
General
-
Target
0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe
-
Size
60KB
-
MD5
c4834e159559bfe885fc31c4b96d5d8d
-
SHA1
e1f5b2eaa01c8540055bd2d74b797fe879e879d4
-
SHA256
0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e
-
SHA512
96c2916e8719575fa61441de5f28c02464d2b79ba27e25cd64375053aa3cb9b5df602e01470a9ec06e21acc47fc27353fac1c3cdc9be50649b7dc27cb7b517c5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1020 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exepid process 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exedescription pid process Token: SeIncBasePriorityPrivilege 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.execmd.exedescription pid process target process PID 1340 wrote to memory of 1656 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe MediaCenter.exe PID 1340 wrote to memory of 1020 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe cmd.exe PID 1340 wrote to memory of 1020 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe cmd.exe PID 1340 wrote to memory of 1020 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe cmd.exe PID 1340 wrote to memory of 1020 1340 0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe cmd.exe PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe"C:\Users\Admin\AppData\Local\Temp\0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ae97d1220e719edaca47b59dc5552a0947857180ebe75468440178cddccdb3e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
470db7f6238c59458f0dc6be20c6667b
SHA1d3f840a35ed1940a350714613921dec6dd1072dc
SHA25686901c64947981d6caaf7cd73846219736d8181b21899bf312ffa884150557aa
SHA512ad4deed98297a41ba970e777647fef11ff1b2bc210cc6b32d5a1332845d06f5e8ca0ef0e43ef34e9bc86aab033544637062259eca8e78c852c92886f4ba427bf
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
470db7f6238c59458f0dc6be20c6667b
SHA1d3f840a35ed1940a350714613921dec6dd1072dc
SHA25686901c64947981d6caaf7cd73846219736d8181b21899bf312ffa884150557aa
SHA512ad4deed98297a41ba970e777647fef11ff1b2bc210cc6b32d5a1332845d06f5e8ca0ef0e43ef34e9bc86aab033544637062259eca8e78c852c92886f4ba427bf
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
470db7f6238c59458f0dc6be20c6667b
SHA1d3f840a35ed1940a350714613921dec6dd1072dc
SHA25686901c64947981d6caaf7cd73846219736d8181b21899bf312ffa884150557aa
SHA512ad4deed98297a41ba970e777647fef11ff1b2bc210cc6b32d5a1332845d06f5e8ca0ef0e43ef34e9bc86aab033544637062259eca8e78c852c92886f4ba427bf
-
memory/1340-53-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB