Analysis
-
max time kernel
134s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:28
Static task
static1
Behavioral task
behavioral1
Sample
0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe
Resource
win10v2004-en-20220113
General
-
Target
0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe
-
Size
36KB
-
MD5
caa0ab9c8cabe80d780014541537c229
-
SHA1
5df650a1f29778ee9169e4a86fddae04ad8de975
-
SHA256
0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23
-
SHA512
7e61b22979784ca156aec5e5d6619964ffce46542ff12d7b42bfae252b3207d36b234c85b9a8400fd162c1bc5c808383ff092c351dfe451049eab033993cf491
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1192 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exepid process 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exedescription pid process Token: SeIncBasePriorityPrivilege 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.execmd.exedescription pid process target process PID 1756 wrote to memory of 1192 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe MediaCenter.exe PID 1756 wrote to memory of 1192 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe MediaCenter.exe PID 1756 wrote to memory of 1192 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe MediaCenter.exe PID 1756 wrote to memory of 1192 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe MediaCenter.exe PID 1756 wrote to memory of 1084 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe cmd.exe PID 1756 wrote to memory of 1084 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe cmd.exe PID 1756 wrote to memory of 1084 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe cmd.exe PID 1756 wrote to memory of 1084 1756 0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe cmd.exe PID 1084 wrote to memory of 1060 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1060 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1060 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1060 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe"C:\Users\Admin\AppData\Local\Temp\0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fe57972c50d6ebe2e3684dd4363343f3d30020d7a7cbcdc450a1386c48b4a23.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
13f98cb350b22c1858b68ecedf4aad2a
SHA18e79c59c9bb044e43ee257a4b979a62183428f23
SHA256e37a13a9d27b210df265d75293c7f143bf37d35a694de6d4533cca3105ea600d
SHA5120d1850734e6f84ae0154f3664722005a0e2a5fdc1c7ff3af9da4c188a8b61280901e359158ee642c1681370a5711001778c62539d8eea8453a0567fa99659927
-
MD5
13f98cb350b22c1858b68ecedf4aad2a
SHA18e79c59c9bb044e43ee257a4b979a62183428f23
SHA256e37a13a9d27b210df265d75293c7f143bf37d35a694de6d4533cca3105ea600d
SHA5120d1850734e6f84ae0154f3664722005a0e2a5fdc1c7ff3af9da4c188a8b61280901e359158ee642c1681370a5711001778c62539d8eea8453a0567fa99659927
-
MD5
13f98cb350b22c1858b68ecedf4aad2a
SHA18e79c59c9bb044e43ee257a4b979a62183428f23
SHA256e37a13a9d27b210df265d75293c7f143bf37d35a694de6d4533cca3105ea600d
SHA5120d1850734e6f84ae0154f3664722005a0e2a5fdc1c7ff3af9da4c188a8b61280901e359158ee642c1681370a5711001778c62539d8eea8453a0567fa99659927