Analysis
-
max time kernel
159s -
max time network
181s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:55
Static task
static1
Behavioral task
behavioral1
Sample
0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe
Resource
win10v2004-en-20220112
General
-
Target
0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe
-
Size
60KB
-
MD5
ae29bc8474133b1c21cdbb70ed9a6b5e
-
SHA1
fa540dbb7d30c84a0b7216919075e80fe78b2c5a
-
SHA256
0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56
-
SHA512
63166a18adff65752c5045436f1094bcbfab6f2c8254a55d7fc07a3c7312b02373bc1dbdf4dd9ead177a09e9c079326f345593bdfea992dd37617f9996e14ed1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 932 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exepid process 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exedescription pid process Token: SeIncBasePriorityPrivilege 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.execmd.exedescription pid process target process PID 1084 wrote to memory of 744 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe MediaCenter.exe PID 1084 wrote to memory of 932 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe cmd.exe PID 1084 wrote to memory of 932 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe cmd.exe PID 1084 wrote to memory of 932 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe cmd.exe PID 1084 wrote to memory of 932 1084 0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe cmd.exe PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe"C:\Users\Admin\AppData\Local\Temp\0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0898d26bed7954662fb15e0cc8858c5d9d5ab62fba24942473f5949c136cff56.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fdc7eab85ba69b6e0a0f019ff2e89076
SHA166b43df6206d0351cd7eb2058fb6b1580489a6de
SHA256c69c9d84c6cd3b42c120f1e51621de7837a1edf4abbe40cdfc58b8906f109f05
SHA5123e350e1f70cf4fb6152f65415c79cbf477b6271d1f407f81552e63a3ae500191062130cb95e6f98385d44e18daa0c5ce7a37372ab77474b8c920addb3c3e73b8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fdc7eab85ba69b6e0a0f019ff2e89076
SHA166b43df6206d0351cd7eb2058fb6b1580489a6de
SHA256c69c9d84c6cd3b42c120f1e51621de7837a1edf4abbe40cdfc58b8906f109f05
SHA5123e350e1f70cf4fb6152f65415c79cbf477b6271d1f407f81552e63a3ae500191062130cb95e6f98385d44e18daa0c5ce7a37372ab77474b8c920addb3c3e73b8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fdc7eab85ba69b6e0a0f019ff2e89076
SHA166b43df6206d0351cd7eb2058fb6b1580489a6de
SHA256c69c9d84c6cd3b42c120f1e51621de7837a1edf4abbe40cdfc58b8906f109f05
SHA5123e350e1f70cf4fb6152f65415c79cbf477b6271d1f407f81552e63a3ae500191062130cb95e6f98385d44e18daa0c5ce7a37372ab77474b8c920addb3c3e73b8
-
memory/1084-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB