Analysis
-
max time kernel
152s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:26
Static task
static1
Behavioral task
behavioral1
Sample
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe
Resource
win10v2004-en-20220113
General
-
Target
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe
-
Size
58KB
-
MD5
779e5a9f40abfd611849509d8247c1cc
-
SHA1
b6b9a159e6321301eecbcd1188dc8919bd389be3
-
SHA256
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30
-
SHA512
980340a940003213ab8af49fdbc85771c6ae2ccac08a7e88846c9579db1f44c8db3e01df5f5a9e047e65b2be7e4c619c0277792448f86984546bebee404bb892
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1324 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 952 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exepid process 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exedescription pid process Token: SeIncBasePriorityPrivilege 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.execmd.exedescription pid process target process PID 892 wrote to memory of 1324 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe MediaCenter.exe PID 892 wrote to memory of 952 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe cmd.exe PID 892 wrote to memory of 952 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe cmd.exe PID 892 wrote to memory of 952 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe cmd.exe PID 892 wrote to memory of 952 892 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe cmd.exe PID 952 wrote to memory of 836 952 cmd.exe PING.EXE PID 952 wrote to memory of 836 952 cmd.exe PING.EXE PID 952 wrote to memory of 836 952 cmd.exe PING.EXE PID 952 wrote to memory of 836 952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe"C:\Users\Admin\AppData\Local\Temp\0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7843c9b55126d8d032d8ac89a0e15df2
SHA1f7a2a55c57cbabe2e18f4c8f8357290dacb08efb
SHA256521a60d2c61ff84c512a323085973d75d2304e540559e4eb6b4e94c85738d644
SHA512cffaa91aa96b64cb487e75c194721ec3204d73486ce867b596b0857b565c2761b072ef57f0229a690876d6db6e8d2f237d2c4f2475caa31ab2d5fca8d7bdc0de
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7843c9b55126d8d032d8ac89a0e15df2
SHA1f7a2a55c57cbabe2e18f4c8f8357290dacb08efb
SHA256521a60d2c61ff84c512a323085973d75d2304e540559e4eb6b4e94c85738d644
SHA512cffaa91aa96b64cb487e75c194721ec3204d73486ce867b596b0857b565c2761b072ef57f0229a690876d6db6e8d2f237d2c4f2475caa31ab2d5fca8d7bdc0de
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7843c9b55126d8d032d8ac89a0e15df2
SHA1f7a2a55c57cbabe2e18f4c8f8357290dacb08efb
SHA256521a60d2c61ff84c512a323085973d75d2304e540559e4eb6b4e94c85738d644
SHA512cffaa91aa96b64cb487e75c194721ec3204d73486ce867b596b0857b565c2761b072ef57f0229a690876d6db6e8d2f237d2c4f2475caa31ab2d5fca8d7bdc0de
-
memory/892-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB