Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:20
Static task
static1
Behavioral task
behavioral1
Sample
0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe
Resource
win10v2004-en-20220113
General
-
Target
0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe
-
Size
36KB
-
MD5
cd84359af28693637a338193097fb4ca
-
SHA1
951c009af198d24364599ed4209312870b400b08
-
SHA256
0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8
-
SHA512
c27bced8784bac0e77297493c1af3c6124d12bdc44028b4827882d8cf58976861adf4a101a3a767f21901244397ba238c801180a17875674bdac1f6550d106a8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 956 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exepid process 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exedescription pid process Token: SeIncBasePriorityPrivilege 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.execmd.exedescription pid process target process PID 1884 wrote to memory of 956 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe MediaCenter.exe PID 1884 wrote to memory of 1664 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe cmd.exe PID 1884 wrote to memory of 1664 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe cmd.exe PID 1884 wrote to memory of 1664 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe cmd.exe PID 1884 wrote to memory of 1664 1884 0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe cmd.exe PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe"C:\Users\Admin\AppData\Local\Temp\0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a5fdec8203799cc7ba7f30a721591ff4c9a70b28fe91e484149c5136cbcc8e8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bef901917f1a30f18f5395dd69a3ce1e
SHA1159d9dad748d884ce2abdbfd213fa7436e43c9a9
SHA256ebb884b07b093b8ff7abaa0c47ece4c2e38a1b3e892e57775e57bdad766505c3
SHA512138e5a79e273047a9ded49532d7ab7ad154b5427f59e85122a09f630f8992ea7c730037afa54d52fa757b0f0905ae66bb2c7f4e3cd6a4cbf7f93483d13e3d2de
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bef901917f1a30f18f5395dd69a3ce1e
SHA1159d9dad748d884ce2abdbfd213fa7436e43c9a9
SHA256ebb884b07b093b8ff7abaa0c47ece4c2e38a1b3e892e57775e57bdad766505c3
SHA512138e5a79e273047a9ded49532d7ab7ad154b5427f59e85122a09f630f8992ea7c730037afa54d52fa757b0f0905ae66bb2c7f4e3cd6a4cbf7f93483d13e3d2de
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bef901917f1a30f18f5395dd69a3ce1e
SHA1159d9dad748d884ce2abdbfd213fa7436e43c9a9
SHA256ebb884b07b093b8ff7abaa0c47ece4c2e38a1b3e892e57775e57bdad766505c3
SHA512138e5a79e273047a9ded49532d7ab7ad154b5427f59e85122a09f630f8992ea7c730037afa54d52fa757b0f0905ae66bb2c7f4e3cd6a4cbf7f93483d13e3d2de
-
memory/1884-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB