Analysis
-
max time kernel
145s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:21
Static task
static1
Behavioral task
behavioral1
Sample
0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe
Resource
win10v2004-en-20220112
General
-
Target
0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe
-
Size
60KB
-
MD5
e997cacd159f887f2e3ac868916ee2bd
-
SHA1
80cea80d0b2d2bb48b39e9258be88045da47cff7
-
SHA256
0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f
-
SHA512
0a1bff01a122e918ea460097c91fe364ac02bf4ba7af3ebb4a14328453ac83df8a9a6062441592159360306696d4194c4aedcb880386dd2bfe89122c3aec46ba
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1556 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 364 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exepid process 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.execmd.exedescription pid process target process PID 952 wrote to memory of 1556 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe MediaCenter.exe PID 952 wrote to memory of 1556 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe MediaCenter.exe PID 952 wrote to memory of 1556 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe MediaCenter.exe PID 952 wrote to memory of 1556 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe MediaCenter.exe PID 952 wrote to memory of 364 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe cmd.exe PID 952 wrote to memory of 364 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe cmd.exe PID 952 wrote to memory of 364 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe cmd.exe PID 952 wrote to memory of 364 952 0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe cmd.exe PID 364 wrote to memory of 2024 364 cmd.exe PING.EXE PID 364 wrote to memory of 2024 364 cmd.exe PING.EXE PID 364 wrote to memory of 2024 364 cmd.exe PING.EXE PID 364 wrote to memory of 2024 364 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe"C:\Users\Admin\AppData\Local\Temp\0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a557152c4d7a7dde4ac095c3eaeb4b36b2257e40fcb8b2bd3550bc29ea8d34f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7b3491d269d388e9ca088e56e0bd3a9a
SHA15aa7ae70dd00e8ee34edd62e3ca74645efded4ec
SHA256f8c3f47f25b021ac78a0d3731b368218ac5e6a65dd23cc661f0a0461160c90ff
SHA512d1360a91cfde360f6e90958ecccc91cc2d49dde8d1b9ab212fa24965bf21e469cd45e079efd9c7bbae539f03f478c5be347a52f579af26b95885df4f12d0de92
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7b3491d269d388e9ca088e56e0bd3a9a
SHA15aa7ae70dd00e8ee34edd62e3ca74645efded4ec
SHA256f8c3f47f25b021ac78a0d3731b368218ac5e6a65dd23cc661f0a0461160c90ff
SHA512d1360a91cfde360f6e90958ecccc91cc2d49dde8d1b9ab212fa24965bf21e469cd45e079efd9c7bbae539f03f478c5be347a52f579af26b95885df4f12d0de92
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7b3491d269d388e9ca088e56e0bd3a9a
SHA15aa7ae70dd00e8ee34edd62e3ca74645efded4ec
SHA256f8c3f47f25b021ac78a0d3731b368218ac5e6a65dd23cc661f0a0461160c90ff
SHA512d1360a91cfde360f6e90958ecccc91cc2d49dde8d1b9ab212fa24965bf21e469cd45e079efd9c7bbae539f03f478c5be347a52f579af26b95885df4f12d0de92
-
memory/952-55-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB