Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe
Resource
win10v2004-en-20220113
General
-
Target
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe
-
Size
36KB
-
MD5
771cd073c4cefde5e8941c5465798f90
-
SHA1
c87cd7de4228958b56a8aef630868cf91f562bc2
-
SHA256
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e
-
SHA512
96b36ccdf76432e3a41187b4510ca6006463979df2b09cdee7c6ec9edaddd2edad823b1bf368bd7d1ca4c3a59a9139e1b86c670d55a44bac820918ff0fd1a90e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exepid process 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exedescription pid process Token: SeIncBasePriorityPrivilege 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.execmd.exedescription pid process target process PID 1192 wrote to memory of 944 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe MediaCenter.exe PID 1192 wrote to memory of 944 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe MediaCenter.exe PID 1192 wrote to memory of 944 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe MediaCenter.exe PID 1192 wrote to memory of 944 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe MediaCenter.exe PID 1192 wrote to memory of 432 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe cmd.exe PID 1192 wrote to memory of 432 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe cmd.exe PID 1192 wrote to memory of 432 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe cmd.exe PID 1192 wrote to memory of 432 1192 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe cmd.exe PID 432 wrote to memory of 1600 432 cmd.exe PING.EXE PID 432 wrote to memory of 1600 432 cmd.exe PING.EXE PID 432 wrote to memory of 1600 432 cmd.exe PING.EXE PID 432 wrote to memory of 1600 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe"C:\Users\Admin\AppData\Local\Temp\0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2c0ad134354ad26cf4887b0e24a09ba6
SHA1c9dabd95567ebb0be52aab0020f7ee8483f142d3
SHA256dfd599c24af5c564728a21c529ab993ae8172561abb973ff9c33d61f44df68cf
SHA512d4a22153e55f50283fbc448c50b5c39ca2eba9e4acbbadca4169bfb2f6ed58f80e21cfdf0c3dc27e42f432ad77381f5748629b3d2439d49793cd90381948285c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2c0ad134354ad26cf4887b0e24a09ba6
SHA1c9dabd95567ebb0be52aab0020f7ee8483f142d3
SHA256dfd599c24af5c564728a21c529ab993ae8172561abb973ff9c33d61f44df68cf
SHA512d4a22153e55f50283fbc448c50b5c39ca2eba9e4acbbadca4169bfb2f6ed58f80e21cfdf0c3dc27e42f432ad77381f5748629b3d2439d49793cd90381948285c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2c0ad134354ad26cf4887b0e24a09ba6
SHA1c9dabd95567ebb0be52aab0020f7ee8483f142d3
SHA256dfd599c24af5c564728a21c529ab993ae8172561abb973ff9c33d61f44df68cf
SHA512d4a22153e55f50283fbc448c50b5c39ca2eba9e4acbbadca4169bfb2f6ed58f80e21cfdf0c3dc27e42f432ad77381f5748629b3d2439d49793cd90381948285c
-
memory/1192-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmpFilesize
8KB