Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:08
Static task
static1
Behavioral task
behavioral1
Sample
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe
Resource
win10v2004-en-20220113
General
-
Target
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe
-
Size
36KB
-
MD5
2ab62d4ee9cc0d442f9dc73a2471bc81
-
SHA1
19808d5626693f44f4bf049ecf1cf2cafdee3cc8
-
SHA256
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203
-
SHA512
11a37c052abecb741a253fc75e2006160307b388c8b15da1476615000c29de214a7845b72b7618d9abb63865163a4dccd403726b0b7ae03dcfdb4198ff3accce
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1128 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exepid process 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exedescription pid process Token: SeIncBasePriorityPrivilege 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.execmd.exedescription pid process target process PID 812 wrote to memory of 1128 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe MediaCenter.exe PID 812 wrote to memory of 436 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe cmd.exe PID 812 wrote to memory of 436 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe cmd.exe PID 812 wrote to memory of 436 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe cmd.exe PID 812 wrote to memory of 436 812 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe cmd.exe PID 436 wrote to memory of 1200 436 cmd.exe PING.EXE PID 436 wrote to memory of 1200 436 cmd.exe PING.EXE PID 436 wrote to memory of 1200 436 cmd.exe PING.EXE PID 436 wrote to memory of 1200 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe"C:\Users\Admin\AppData\Local\Temp\0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cc0940a4b690513e7230e733effb9c37
SHA126905d4ff5949b4cbc381813ce9f37a1c534340a
SHA25624e368904a7aeadbaf1534a73fb1fdc1e0e01040713151d818abb6b767f76900
SHA512946151f01e99661e71e99370287c1782d9f1e21f5d0dfb4460cc174ab1b72b115c56ceeb3af3f97b229ca36a0dfa3580ad46df24da7dbe0e53093560e79d7b99
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cc0940a4b690513e7230e733effb9c37
SHA126905d4ff5949b4cbc381813ce9f37a1c534340a
SHA25624e368904a7aeadbaf1534a73fb1fdc1e0e01040713151d818abb6b767f76900
SHA512946151f01e99661e71e99370287c1782d9f1e21f5d0dfb4460cc174ab1b72b115c56ceeb3af3f97b229ca36a0dfa3580ad46df24da7dbe0e53093560e79d7b99
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cc0940a4b690513e7230e733effb9c37
SHA126905d4ff5949b4cbc381813ce9f37a1c534340a
SHA25624e368904a7aeadbaf1534a73fb1fdc1e0e01040713151d818abb6b767f76900
SHA512946151f01e99661e71e99370287c1782d9f1e21f5d0dfb4460cc174ab1b72b115c56ceeb3af3f97b229ca36a0dfa3580ad46df24da7dbe0e53093560e79d7b99
-
memory/812-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB