Analysis
-
max time kernel
130s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:31
Static task
static1
Behavioral task
behavioral1
Sample
0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe
Resource
win10v2004-en-20220113
General
-
Target
0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe
-
Size
36KB
-
MD5
89648e27787de9228db3ace1c75bc1ce
-
SHA1
f4e0397dd756d760cdcd5a42ffc0a6c3378df009
-
SHA256
0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc
-
SHA512
d7f68236246cc46a1e30ec27d1ceb720610e711f1ab824e6e9aca7ef7a68f1c0d93ce6d841cb0e64620f4c70ec28fc68992ba7e69d46420a70911e1522d15c64
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1160 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exepid process 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.execmd.exedescription pid process target process PID 1672 wrote to memory of 1160 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe MediaCenter.exe PID 1672 wrote to memory of 744 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe cmd.exe PID 1672 wrote to memory of 744 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe cmd.exe PID 1672 wrote to memory of 744 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe cmd.exe PID 1672 wrote to memory of 744 1672 0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe cmd.exe PID 744 wrote to memory of 1956 744 cmd.exe PING.EXE PID 744 wrote to memory of 1956 744 cmd.exe PING.EXE PID 744 wrote to memory of 1956 744 cmd.exe PING.EXE PID 744 wrote to memory of 1956 744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe"C:\Users\Admin\AppData\Local\Temp\0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fcb8ec62ec09a8d28f28fbd9770f178af867fa0e0866adb58f72467d8e636bc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c1f47c9eaccd9c4f24ee7c95c5269e57
SHA175a7610f816b29c113fdcb01c23a9bd76a012913
SHA256ec78cb05402ed957ef81c0c065f7ddd4fc3d2b7fd98af044c8fa5807427b82a3
SHA5127af13da34316c5ed4c750b1e149eb2eb2643f9ff5fb2cf6b9ff9397284a289337b7d50e47267c9049cc0d1dfd805e1090a3b7187244b0e2074bd4059e4c03096
-
MD5
c1f47c9eaccd9c4f24ee7c95c5269e57
SHA175a7610f816b29c113fdcb01c23a9bd76a012913
SHA256ec78cb05402ed957ef81c0c065f7ddd4fc3d2b7fd98af044c8fa5807427b82a3
SHA5127af13da34316c5ed4c750b1e149eb2eb2643f9ff5fb2cf6b9ff9397284a289337b7d50e47267c9049cc0d1dfd805e1090a3b7187244b0e2074bd4059e4c03096
-
MD5
c1f47c9eaccd9c4f24ee7c95c5269e57
SHA175a7610f816b29c113fdcb01c23a9bd76a012913
SHA256ec78cb05402ed957ef81c0c065f7ddd4fc3d2b7fd98af044c8fa5807427b82a3
SHA5127af13da34316c5ed4c750b1e149eb2eb2643f9ff5fb2cf6b9ff9397284a289337b7d50e47267c9049cc0d1dfd805e1090a3b7187244b0e2074bd4059e4c03096