Analysis
-
max time kernel
164s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe
Resource
win10v2004-en-20220113
General
-
Target
0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe
-
Size
58KB
-
MD5
72ff114976adb828cc6f243d3d926fda
-
SHA1
c0625bc31fa4ea9e2fc3130637d40f41061ed0e2
-
SHA256
0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1
-
SHA512
feaab25e558a4bfc2001ac3d5f5297915bf82e693a65c433620041232a329f4351165a3980dc8a0d8061b410f241d1d4bc3ad3ecdc10df98c3c6438440ad0a70
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 324 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exepid process 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exedescription pid process Token: SeIncBasePriorityPrivilege 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.execmd.exedescription pid process target process PID 1700 wrote to memory of 1552 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe MediaCenter.exe PID 1700 wrote to memory of 324 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe cmd.exe PID 1700 wrote to memory of 324 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe cmd.exe PID 1700 wrote to memory of 324 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe cmd.exe PID 1700 wrote to memory of 324 1700 0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe cmd.exe PID 324 wrote to memory of 588 324 cmd.exe PING.EXE PID 324 wrote to memory of 588 324 cmd.exe PING.EXE PID 324 wrote to memory of 588 324 cmd.exe PING.EXE PID 324 wrote to memory of 588 324 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe"C:\Users\Admin\AppData\Local\Temp\0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ff4c40f529c583de61b17df33624eee67dd703d652d462d52f876952bce5ee1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ff1e1549c2b0794f85481e7a301bb3c0
SHA19dcd3ed68eee6c189596590f68821836af1decbb
SHA256428078b2ee4794ee153fbed1be4a71bc6b9e9a787d6ae18b5dc6c50381f51938
SHA5125328e770b78d4ed7f9d527ee11704c48d7c6f73dd10048569405deadc52dc60777310caf441d734df4b3da502700958636563b602f6dca3993262b41c6f58527
-
MD5
ff1e1549c2b0794f85481e7a301bb3c0
SHA19dcd3ed68eee6c189596590f68821836af1decbb
SHA256428078b2ee4794ee153fbed1be4a71bc6b9e9a787d6ae18b5dc6c50381f51938
SHA5125328e770b78d4ed7f9d527ee11704c48d7c6f73dd10048569405deadc52dc60777310caf441d734df4b3da502700958636563b602f6dca3993262b41c6f58527
-
MD5
ff1e1549c2b0794f85481e7a301bb3c0
SHA19dcd3ed68eee6c189596590f68821836af1decbb
SHA256428078b2ee4794ee153fbed1be4a71bc6b9e9a787d6ae18b5dc6c50381f51938
SHA5125328e770b78d4ed7f9d527ee11704c48d7c6f73dd10048569405deadc52dc60777310caf441d734df4b3da502700958636563b602f6dca3993262b41c6f58527