Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:22
Static task
static1
Behavioral task
behavioral1
Sample
0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe
Resource
win10v2004-en-20220113
General
-
Target
0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe
-
Size
58KB
-
MD5
12191f2938b2782e0c75f8a6d3b36356
-
SHA1
ccc211de003f8d7f8b19fc5e7b9025a71186c6dc
-
SHA256
0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9
-
SHA512
ec3228915f514c99a2febed89acaf1fd5b898dbbc48ef283e127c187f565fed4fd72e7ca152bbe37f4dede7247368de97a3c501236628db54ae0a5439a3b3f7e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 440 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exepid process 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exedescription pid process Token: SeIncBasePriorityPrivilege 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.execmd.exedescription pid process target process PID 956 wrote to memory of 1616 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe MediaCenter.exe PID 956 wrote to memory of 1616 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe MediaCenter.exe PID 956 wrote to memory of 1616 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe MediaCenter.exe PID 956 wrote to memory of 1616 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe MediaCenter.exe PID 956 wrote to memory of 440 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe cmd.exe PID 956 wrote to memory of 440 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe cmd.exe PID 956 wrote to memory of 440 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe cmd.exe PID 956 wrote to memory of 440 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe cmd.exe PID 440 wrote to memory of 1932 440 cmd.exe PING.EXE PID 440 wrote to memory of 1932 440 cmd.exe PING.EXE PID 440 wrote to memory of 1932 440 cmd.exe PING.EXE PID 440 wrote to memory of 1932 440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe"C:\Users\Admin\AppData\Local\Temp\0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cdbaba1f59633634f2a2944b8cbad0e9
SHA11c03f152a9233ed9ebdf6ae94c803708496630ca
SHA2562047302342f07ea47bd29a5987b02295fe778befac370168932b1142932fd73a
SHA512dfaf222497462454210d6342dc141a49341d6f2bf142affead59ee3d4b4284c925f693d6ecb5fabfff20ec8d5995aec6711e824bd08a326cbfe3772fa573c439
-
MD5
cdbaba1f59633634f2a2944b8cbad0e9
SHA11c03f152a9233ed9ebdf6ae94c803708496630ca
SHA2562047302342f07ea47bd29a5987b02295fe778befac370168932b1142932fd73a
SHA512dfaf222497462454210d6342dc141a49341d6f2bf142affead59ee3d4b4284c925f693d6ecb5fabfff20ec8d5995aec6711e824bd08a326cbfe3772fa573c439
-
MD5
cdbaba1f59633634f2a2944b8cbad0e9
SHA11c03f152a9233ed9ebdf6ae94c803708496630ca
SHA2562047302342f07ea47bd29a5987b02295fe778befac370168932b1142932fd73a
SHA512dfaf222497462454210d6342dc141a49341d6f2bf142affead59ee3d4b4284c925f693d6ecb5fabfff20ec8d5995aec6711e824bd08a326cbfe3772fa573c439