Analysis
-
max time kernel
127s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:28
Static task
static1
Behavioral task
behavioral1
Sample
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe
Resource
win10v2004-en-20220113
General
-
Target
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe
-
Size
58KB
-
MD5
7e8dfa736952b906c1d426bc47a9cf26
-
SHA1
56bf1064f3f8b7902baa3d808709379960bf43f4
-
SHA256
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914
-
SHA512
d48524bc5ccd2751317d819e3925ea9a66af0586e6abfca8b451860e5b963d98b020cde24f84d29f4a51fcf3e7067400c3c2eca72216865320e4fc136bf25f6e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1412 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exepid process 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.execmd.exedescription pid process target process PID 1704 wrote to memory of 1412 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe MediaCenter.exe PID 1704 wrote to memory of 1412 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe MediaCenter.exe PID 1704 wrote to memory of 1412 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe MediaCenter.exe PID 1704 wrote to memory of 1412 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe MediaCenter.exe PID 1704 wrote to memory of 1084 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe cmd.exe PID 1704 wrote to memory of 1084 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe cmd.exe PID 1704 wrote to memory of 1084 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe cmd.exe PID 1704 wrote to memory of 1084 1704 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe cmd.exe PID 1084 wrote to memory of 1928 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1928 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1928 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1928 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe"C:\Users\Admin\AppData\Local\Temp\0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
179d2d54db61f9ba4d898dd1c169071f
SHA19b4f9c7b23d30e7673b4fe385fb174925efd2d1a
SHA2567bd18eaa69f19af2e730ea8d5064ea2e39fc0f5294a909b82770d4f607ad31d8
SHA512202056a29baa3a98597d0486a31d208bec536931bbca760241efa493a5c3e14521127fd17cc0734278739a4377dd867d245e396c2c6287c20afc4e547f45698b
-
MD5
179d2d54db61f9ba4d898dd1c169071f
SHA19b4f9c7b23d30e7673b4fe385fb174925efd2d1a
SHA2567bd18eaa69f19af2e730ea8d5064ea2e39fc0f5294a909b82770d4f607ad31d8
SHA512202056a29baa3a98597d0486a31d208bec536931bbca760241efa493a5c3e14521127fd17cc0734278739a4377dd867d245e396c2c6287c20afc4e547f45698b
-
MD5
179d2d54db61f9ba4d898dd1c169071f
SHA19b4f9c7b23d30e7673b4fe385fb174925efd2d1a
SHA2567bd18eaa69f19af2e730ea8d5064ea2e39fc0f5294a909b82770d4f607ad31d8
SHA512202056a29baa3a98597d0486a31d208bec536931bbca760241efa493a5c3e14521127fd17cc0734278739a4377dd867d245e396c2c6287c20afc4e547f45698b