Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe
Resource
win10v2004-en-20220113
General
-
Target
0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe
-
Size
35KB
-
MD5
31b5393b167d10fac8ab721c077b35d8
-
SHA1
b094a0976817b1d505ed75b3c66b98fe90911b72
-
SHA256
0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0
-
SHA512
b1dd1dade51a42759794f5f18d32d21512750d08ee2c351bc53ab763c3ffccf9c7f7d2de5d59642c0d961a72018da48bd9dffc9092152a5c61e5cc6e937c4a26
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 792 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1376 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exepid process 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.execmd.exedescription pid process target process PID 1672 wrote to memory of 792 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe MediaCenter.exe PID 1672 wrote to memory of 1376 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe cmd.exe PID 1672 wrote to memory of 1376 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe cmd.exe PID 1672 wrote to memory of 1376 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe cmd.exe PID 1672 wrote to memory of 1376 1672 0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe cmd.exe PID 1376 wrote to memory of 1620 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 1620 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 1620 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 1620 1376 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe"C:\Users\Admin\AppData\Local\Temp\0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a36d7c8debb1287c2b100114a24fc39ead462cb2a1f277799b40a56e855bfc0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
30b6918bb5c5440ce7f845e13e53b0cf
SHA1366cb06314be60b339f95f7820dfdc9fdda17749
SHA256d6da1d2e708c59c9628dae570c94377c6707bc0bc20930d3b3489e2cc145db52
SHA5122849b04853cb2149e70c85a2f3491fcabd8379b02c1e879388cc463846f739d62cca06d07afac0bc7cc3304b1c97609b2591f2d7d46dc9785dc0543101d7737c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
30b6918bb5c5440ce7f845e13e53b0cf
SHA1366cb06314be60b339f95f7820dfdc9fdda17749
SHA256d6da1d2e708c59c9628dae570c94377c6707bc0bc20930d3b3489e2cc145db52
SHA5122849b04853cb2149e70c85a2f3491fcabd8379b02c1e879388cc463846f739d62cca06d07afac0bc7cc3304b1c97609b2591f2d7d46dc9785dc0543101d7737c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
30b6918bb5c5440ce7f845e13e53b0cf
SHA1366cb06314be60b339f95f7820dfdc9fdda17749
SHA256d6da1d2e708c59c9628dae570c94377c6707bc0bc20930d3b3489e2cc145db52
SHA5122849b04853cb2149e70c85a2f3491fcabd8379b02c1e879388cc463846f739d62cca06d07afac0bc7cc3304b1c97609b2591f2d7d46dc9785dc0543101d7737c
-
memory/1672-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB