Analysis
-
max time kernel
138s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:18
Static task
static1
Behavioral task
behavioral1
Sample
0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe
Resource
win10v2004-en-20220112
General
-
Target
0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe
-
Size
36KB
-
MD5
b0588c204337482f7d96d559d99bd0ea
-
SHA1
0e69b5404de583fc2009bb0a9b6ac284f1560275
-
SHA256
0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245
-
SHA512
dbc6e089fcfe300a21c996082b905118fbb0201f4da92c4f8901f224164e08ab784fbadbd9c8a9aabae86e91a6d738f7159d65e0933ee491cb861ad579df7470
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1920 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exepid process 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exedescription pid process Token: SeIncBasePriorityPrivilege 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.execmd.exedescription pid process target process PID 480 wrote to memory of 964 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe MediaCenter.exe PID 480 wrote to memory of 964 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe MediaCenter.exe PID 480 wrote to memory of 964 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe MediaCenter.exe PID 480 wrote to memory of 964 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe MediaCenter.exe PID 480 wrote to memory of 1920 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe cmd.exe PID 480 wrote to memory of 1920 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe cmd.exe PID 480 wrote to memory of 1920 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe cmd.exe PID 480 wrote to memory of 1920 480 0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe cmd.exe PID 1920 wrote to memory of 1236 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 1236 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 1236 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 1236 1920 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe"C:\Users\Admin\AppData\Local\Temp\0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dead0ff291b882e7d16c5ed8f2ec148e173eeb2a3fabe22093dc4c534fa6245.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c477294a1210c7a875921fd64ee57e9d
SHA13671a0d87e8bb9d5655b9b0514ed343e3920dba0
SHA2568b7458ab660871408c73a75bb7201a55078e58c081e981530b8d5cfd0b32b98b
SHA512909d1cb41b59e59727a5de27f075f9da2de5dbfd14b64907d73eeb981f851ff06a4c67ba09b8cdc20e4e88109e838f4f7e67ef9d8ee24b9f87908e6ede8d8504
-
MD5
c477294a1210c7a875921fd64ee57e9d
SHA13671a0d87e8bb9d5655b9b0514ed343e3920dba0
SHA2568b7458ab660871408c73a75bb7201a55078e58c081e981530b8d5cfd0b32b98b
SHA512909d1cb41b59e59727a5de27f075f9da2de5dbfd14b64907d73eeb981f851ff06a4c67ba09b8cdc20e4e88109e838f4f7e67ef9d8ee24b9f87908e6ede8d8504
-
MD5
c477294a1210c7a875921fd64ee57e9d
SHA13671a0d87e8bb9d5655b9b0514ed343e3920dba0
SHA2568b7458ab660871408c73a75bb7201a55078e58c081e981530b8d5cfd0b32b98b
SHA512909d1cb41b59e59727a5de27f075f9da2de5dbfd14b64907d73eeb981f851ff06a4c67ba09b8cdc20e4e88109e838f4f7e67ef9d8ee24b9f87908e6ede8d8504