Analysis
-
max time kernel
120s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe
Resource
win10v2004-en-20220113
General
-
Target
0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe
-
Size
60KB
-
MD5
5277109558b9ddc47a8e15be945d25de
-
SHA1
ec4300e0adf2e309043c6c4cfbd1b45b1d5dfd11
-
SHA256
0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd
-
SHA512
c64ef28da737ab41161ab0582d8e3f72b1b837a4b3631b28fb29bdd938554eacf3a20fffe0002620ee14b470634966bbacb69328028255eba66b193c584a14f2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1484 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exepid process 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exedescription pid process Token: SeIncBasePriorityPrivilege 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.execmd.exedescription pid process target process PID 1972 wrote to memory of 1484 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe MediaCenter.exe PID 1972 wrote to memory of 1484 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe MediaCenter.exe PID 1972 wrote to memory of 1484 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe MediaCenter.exe PID 1972 wrote to memory of 1484 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe MediaCenter.exe PID 1972 wrote to memory of 2024 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe cmd.exe PID 1972 wrote to memory of 2024 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe cmd.exe PID 1972 wrote to memory of 2024 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe cmd.exe PID 1972 wrote to memory of 2024 1972 0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe cmd.exe PID 2024 wrote to memory of 1300 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1300 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1300 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1300 2024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe"C:\Users\Admin\AppData\Local\Temp\0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0db5f3df48e234a04a25148fa9704b2391edb110b644580f9d6e91757a65fbdd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3994b4afa39f978525587cb65187428f
SHA1c95a99a665d755b4b384d0ec84297e0355c0f798
SHA2561a855176c90a91cc3e187cd9d62c179fce0962619210333b3a72bb92fd33bdbb
SHA512510591cbe957a12d8cdea33be047fe3c9e4e2930bf44a398b2ca0fe23a300e1063f12e0687e2f555e99712fe3eee7d492582bae01fa203b4e98849f5608f6b56
-
MD5
3994b4afa39f978525587cb65187428f
SHA1c95a99a665d755b4b384d0ec84297e0355c0f798
SHA2561a855176c90a91cc3e187cd9d62c179fce0962619210333b3a72bb92fd33bdbb
SHA512510591cbe957a12d8cdea33be047fe3c9e4e2930bf44a398b2ca0fe23a300e1063f12e0687e2f555e99712fe3eee7d492582bae01fa203b4e98849f5608f6b56
-
MD5
3994b4afa39f978525587cb65187428f
SHA1c95a99a665d755b4b384d0ec84297e0355c0f798
SHA2561a855176c90a91cc3e187cd9d62c179fce0962619210333b3a72bb92fd33bdbb
SHA512510591cbe957a12d8cdea33be047fe3c9e4e2930bf44a398b2ca0fe23a300e1063f12e0687e2f555e99712fe3eee7d492582bae01fa203b4e98849f5608f6b56