Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe
Resource
win10v2004-en-20220113
General
-
Target
0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe
-
Size
36KB
-
MD5
5a1942bcfb3a4dd1f2e2c2715ae0ae69
-
SHA1
3900751a9e09ec541d62947198eda044fbcf46e4
-
SHA256
0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff
-
SHA512
f2ac846ddf3489719bc29513a5ba714412575bbcc3df16edd72bf8d2f593478cc3ae24c773701d3c5da3d751a81c85b31d49c8ae757b5a36224b87a4f2590450
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 856 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exepid process 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exedescription pid process Token: SeIncBasePriorityPrivilege 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.execmd.exedescription pid process target process PID 1488 wrote to memory of 1656 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe MediaCenter.exe PID 1488 wrote to memory of 856 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe cmd.exe PID 1488 wrote to memory of 856 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe cmd.exe PID 1488 wrote to memory of 856 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe cmd.exe PID 1488 wrote to memory of 856 1488 0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe cmd.exe PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe"C:\Users\Admin\AppData\Local\Temp\0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dfa1f1f18bbce6bba43e0fcce4f17f16c2bc05b83a94dae0ab566f765dd3aff.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
94be0cc0409b1146c18abd59dc1c431f
SHA117966e2f514ce7a466ce551e83e7cda0f7a69347
SHA256400827b2986320a1342faa6a58d41fb789d459df8d54ef723a3c26f4f1490fc9
SHA512fc09d589ca80441e8bea2599399a4b9d0be1e7bb7011151c8f5262811859cb77e41f3d64819177f4b15b4d79ac562fb436f64164225a4602135351113b09d606
-
MD5
94be0cc0409b1146c18abd59dc1c431f
SHA117966e2f514ce7a466ce551e83e7cda0f7a69347
SHA256400827b2986320a1342faa6a58d41fb789d459df8d54ef723a3c26f4f1490fc9
SHA512fc09d589ca80441e8bea2599399a4b9d0be1e7bb7011151c8f5262811859cb77e41f3d64819177f4b15b4d79ac562fb436f64164225a4602135351113b09d606
-
MD5
94be0cc0409b1146c18abd59dc1c431f
SHA117966e2f514ce7a466ce551e83e7cda0f7a69347
SHA256400827b2986320a1342faa6a58d41fb789d459df8d54ef723a3c26f4f1490fc9
SHA512fc09d589ca80441e8bea2599399a4b9d0be1e7bb7011151c8f5262811859cb77e41f3d64819177f4b15b4d79ac562fb436f64164225a4602135351113b09d606