Analysis
-
max time kernel
156s -
max time network
181s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:18
Static task
static1
Behavioral task
behavioral1
Sample
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe
Resource
win10v2004-en-20220113
General
-
Target
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe
-
Size
36KB
-
MD5
93f7152ef1a39ac22d4dd4a91ac4c7d8
-
SHA1
77cd97ce5baf5d09075c274c22dd4e2eb6648381
-
SHA256
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61
-
SHA512
ced2b0433ad0f193a8742fa5df01f2c7c5551d8ae6fd38acf1399f2ded045f542b54ed2e8b26b1cd1056052398a8de331d72e16c09343d4caf114c7047c8ee75
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1508 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exepid process 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exedescription pid process Token: SeIncBasePriorityPrivilege 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.execmd.exedescription pid process target process PID 732 wrote to memory of 948 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe MediaCenter.exe PID 732 wrote to memory of 948 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe MediaCenter.exe PID 732 wrote to memory of 948 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe MediaCenter.exe PID 732 wrote to memory of 948 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe MediaCenter.exe PID 732 wrote to memory of 1508 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe cmd.exe PID 732 wrote to memory of 1508 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe cmd.exe PID 732 wrote to memory of 1508 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe cmd.exe PID 732 wrote to memory of 1508 732 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe cmd.exe PID 1508 wrote to memory of 940 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 940 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 940 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 940 1508 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe"C:\Users\Admin\AppData\Local\Temp\0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aa569b3b0ca882ff99f32a9aae95d8f9
SHA1048490f5e46e8313457f2a88ec0a41bbd62de9e3
SHA25642128e9756a7f5ff99815da2696b34e0702c4b236938b5675bb2d5da66d1f038
SHA5125d9935f6710ba6c19acf7250f15c21e67b72fdb4c3367b49d5246d760ccd4a4cbdbe4ea6d7c26f044b500204ee8fdf0d7630deb2161d79dc6f6866cebd23c866
-
MD5
aa569b3b0ca882ff99f32a9aae95d8f9
SHA1048490f5e46e8313457f2a88ec0a41bbd62de9e3
SHA25642128e9756a7f5ff99815da2696b34e0702c4b236938b5675bb2d5da66d1f038
SHA5125d9935f6710ba6c19acf7250f15c21e67b72fdb4c3367b49d5246d760ccd4a4cbdbe4ea6d7c26f044b500204ee8fdf0d7630deb2161d79dc6f6866cebd23c866
-
MD5
aa569b3b0ca882ff99f32a9aae95d8f9
SHA1048490f5e46e8313457f2a88ec0a41bbd62de9e3
SHA25642128e9756a7f5ff99815da2696b34e0702c4b236938b5675bb2d5da66d1f038
SHA5125d9935f6710ba6c19acf7250f15c21e67b72fdb4c3367b49d5246d760ccd4a4cbdbe4ea6d7c26f044b500204ee8fdf0d7630deb2161d79dc6f6866cebd23c866