Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe
Resource
win10v2004-en-20220112
General
-
Target
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe
-
Size
58KB
-
MD5
9ba9327d1caebc25bcd9f8d4449a2b60
-
SHA1
88c03435714fd613fdbf0f5ac6bcba645a145c5b
-
SHA256
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6
-
SHA512
f3ba5264f9e2d67236fd5277e46f0270c512e92bc49b4e74933a6ac760b770e917fe89f4746f077e93aa6fafb7840f1dcfc713b90b4d683467ec9c870ab115d2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exepid process 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exedescription pid process Token: SeIncBasePriorityPrivilege 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.execmd.exedescription pid process target process PID 1720 wrote to memory of 1472 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe MediaCenter.exe PID 1720 wrote to memory of 1472 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe MediaCenter.exe PID 1720 wrote to memory of 1472 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe MediaCenter.exe PID 1720 wrote to memory of 1472 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe MediaCenter.exe PID 1720 wrote to memory of 1796 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe cmd.exe PID 1720 wrote to memory of 1796 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe cmd.exe PID 1720 wrote to memory of 1796 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe cmd.exe PID 1720 wrote to memory of 1796 1720 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe cmd.exe PID 1796 wrote to memory of 1928 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1928 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1928 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1928 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe"C:\Users\Admin\AppData\Local\Temp\0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fd93f552910eca54dbb84ea9bb1c7784
SHA16c20b51de147c1c8b6b13b0f5fd16cddedece565
SHA256e67055178d17cb9a58247e97f737ecc1632f7ae661fb8e19710729a773380a00
SHA512d0578ec1862a29b93ff16b1858ad915b63d0b99ed49431f786b9551b54fcd7940359c419c5d070f5568bbb53fec78fdd1c0ac413fa4a6439cba3c51df648a771
-
MD5
fd93f552910eca54dbb84ea9bb1c7784
SHA16c20b51de147c1c8b6b13b0f5fd16cddedece565
SHA256e67055178d17cb9a58247e97f737ecc1632f7ae661fb8e19710729a773380a00
SHA512d0578ec1862a29b93ff16b1858ad915b63d0b99ed49431f786b9551b54fcd7940359c419c5d070f5568bbb53fec78fdd1c0ac413fa4a6439cba3c51df648a771
-
MD5
fd93f552910eca54dbb84ea9bb1c7784
SHA16c20b51de147c1c8b6b13b0f5fd16cddedece565
SHA256e67055178d17cb9a58247e97f737ecc1632f7ae661fb8e19710729a773380a00
SHA512d0578ec1862a29b93ff16b1858ad915b63d0b99ed49431f786b9551b54fcd7940359c419c5d070f5568bbb53fec78fdd1c0ac413fa4a6439cba3c51df648a771