Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe
Resource
win10v2004-en-20220112
General
-
Target
0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe
-
Size
58KB
-
MD5
02373a00d8dece4b46e0f7b742175a68
-
SHA1
bed85df05f74082122af987e5e9907451ba49525
-
SHA256
0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088
-
SHA512
9735a1de658ed1aff21d7a6a1126fead7fcccb19f99c58aa2965adf964be622250497610efc8a4d83e9f1d2c837a4b56dea6e91fbda4d29ab16f589e5e7ca6b3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1848 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exepid process 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exedescription pid process Token: SeIncBasePriorityPrivilege 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.execmd.exedescription pid process target process PID 832 wrote to memory of 1848 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe MediaCenter.exe PID 832 wrote to memory of 776 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe cmd.exe PID 832 wrote to memory of 776 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe cmd.exe PID 832 wrote to memory of 776 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe cmd.exe PID 832 wrote to memory of 776 832 0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe cmd.exe PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe"C:\Users\Admin\AppData\Local\Temp\0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a3abd1b4ac0124d2e8c6d3624806ba9916710b86ba9e1a88e41bb085db80088.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7e0239b86bdf61bace0c0de9f37bd2bc
SHA1952eaa2effe211116983186ac03bdc73f845e66a
SHA2569e0e8f41ea169a8ec76597512eb1c6286a08d9b70200b4056afb3e9b995fbe83
SHA51242144aa274ad3fd5ca5a5acabdfc50be37502b8cdf0ae12cc44995d40349d6fc53e240f55a41626f786b514b25afc6a5ea825a77b39fd0c7cfc95a43e0288fcb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7e0239b86bdf61bace0c0de9f37bd2bc
SHA1952eaa2effe211116983186ac03bdc73f845e66a
SHA2569e0e8f41ea169a8ec76597512eb1c6286a08d9b70200b4056afb3e9b995fbe83
SHA51242144aa274ad3fd5ca5a5acabdfc50be37502b8cdf0ae12cc44995d40349d6fc53e240f55a41626f786b514b25afc6a5ea825a77b39fd0c7cfc95a43e0288fcb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7e0239b86bdf61bace0c0de9f37bd2bc
SHA1952eaa2effe211116983186ac03bdc73f845e66a
SHA2569e0e8f41ea169a8ec76597512eb1c6286a08d9b70200b4056afb3e9b995fbe83
SHA51242144aa274ad3fd5ca5a5acabdfc50be37502b8cdf0ae12cc44995d40349d6fc53e240f55a41626f786b514b25afc6a5ea825a77b39fd0c7cfc95a43e0288fcb
-
memory/832-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB