Analysis
-
max time kernel
120s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe
Resource
win10v2004-en-20220113
General
-
Target
0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe
-
Size
58KB
-
MD5
880e1ded08d1d36203f7fc9cb6c080f9
-
SHA1
c812c8b26cf5ed412e98e158eff6c7d35077d2b8
-
SHA256
0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6
-
SHA512
5de607942e4abe56d350ce5fbbdc009100e4c6ef246431158882e990fc504c1827f79c9f4c80375881801608bb122e81f3d9e1048e7daccf9e550843fb332362
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1680 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exepid process 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exedescription pid process Token: SeIncBasePriorityPrivilege 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.execmd.exedescription pid process target process PID 1688 wrote to memory of 1680 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe MediaCenter.exe PID 1688 wrote to memory of 1680 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe MediaCenter.exe PID 1688 wrote to memory of 1680 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe MediaCenter.exe PID 1688 wrote to memory of 1680 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe MediaCenter.exe PID 1688 wrote to memory of 1796 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe cmd.exe PID 1688 wrote to memory of 1796 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe cmd.exe PID 1688 wrote to memory of 1796 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe cmd.exe PID 1688 wrote to memory of 1796 1688 0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe cmd.exe PID 1796 wrote to memory of 748 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 748 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 748 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 748 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe"C:\Users\Admin\AppData\Local\Temp\0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fe1bf22ddf19d34e2b68302e3280eca90bebab7468e19c14582d2fda9ba11a6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f9cbdc62a13454970c0f9375e604a4e3
SHA15c9f0629064a8cf6fedcd4c9e6345c43d76386a1
SHA2568d04a8709b85d1e3ea45eeddd4107de6441e9e0e64706cc74724c5bdc2cd277b
SHA512bbe360136b9c782cb194e68d955096fed9355c210601c0c00f297750d10b08b2d019bcab2609442401a241f721648dcf085acbf043a6960096ab49517b072767
-
MD5
f9cbdc62a13454970c0f9375e604a4e3
SHA15c9f0629064a8cf6fedcd4c9e6345c43d76386a1
SHA2568d04a8709b85d1e3ea45eeddd4107de6441e9e0e64706cc74724c5bdc2cd277b
SHA512bbe360136b9c782cb194e68d955096fed9355c210601c0c00f297750d10b08b2d019bcab2609442401a241f721648dcf085acbf043a6960096ab49517b072767
-
MD5
f9cbdc62a13454970c0f9375e604a4e3
SHA15c9f0629064a8cf6fedcd4c9e6345c43d76386a1
SHA2568d04a8709b85d1e3ea45eeddd4107de6441e9e0e64706cc74724c5bdc2cd277b
SHA512bbe360136b9c782cb194e68d955096fed9355c210601c0c00f297750d10b08b2d019bcab2609442401a241f721648dcf085acbf043a6960096ab49517b072767