Analysis
-
max time kernel
125s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe
Resource
win10v2004-en-20220113
General
-
Target
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe
-
Size
60KB
-
MD5
9a47f4bd505259886f621f5e37741f44
-
SHA1
0bface989cd105a72a6cc97cfe0c7d586e950d8b
-
SHA256
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f
-
SHA512
60e2339aa6f3d664f89786a11c013f0201d898953c28acac52151e2f1e429eafa4a8bf624b2868b118e71fe13fc9b2049d5d5abf0fd7a0535f562ff39d01ebb9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exepid process 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exedescription pid process Token: SeIncBasePriorityPrivilege 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.execmd.exedescription pid process target process PID 820 wrote to memory of 516 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe MediaCenter.exe PID 820 wrote to memory of 516 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe MediaCenter.exe PID 820 wrote to memory of 516 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe MediaCenter.exe PID 820 wrote to memory of 516 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe MediaCenter.exe PID 820 wrote to memory of 528 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe cmd.exe PID 820 wrote to memory of 528 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe cmd.exe PID 820 wrote to memory of 528 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe cmd.exe PID 820 wrote to memory of 528 820 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe cmd.exe PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe"C:\Users\Admin\AppData\Local\Temp\0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4848f8913a256485fef6c027ab375948
SHA1c1c3d80f9ee180c77ce23895cf3f5f7adbebdd9c
SHA256084280179ea1d2f433909af88f19e10be4b6da1aaadf58f77fef9b327fd903f3
SHA5126b8d23bc0c0fc5b86b0ba4ad5858f841672b649251c1efe76de242d295088430fad1ee29c46e1f1e33cc5eff5e80470e4cbcc6b511af2f982ebb827a72796457
-
MD5
4848f8913a256485fef6c027ab375948
SHA1c1c3d80f9ee180c77ce23895cf3f5f7adbebdd9c
SHA256084280179ea1d2f433909af88f19e10be4b6da1aaadf58f77fef9b327fd903f3
SHA5126b8d23bc0c0fc5b86b0ba4ad5858f841672b649251c1efe76de242d295088430fad1ee29c46e1f1e33cc5eff5e80470e4cbcc6b511af2f982ebb827a72796457
-
MD5
4848f8913a256485fef6c027ab375948
SHA1c1c3d80f9ee180c77ce23895cf3f5f7adbebdd9c
SHA256084280179ea1d2f433909af88f19e10be4b6da1aaadf58f77fef9b327fd903f3
SHA5126b8d23bc0c0fc5b86b0ba4ad5858f841672b649251c1efe76de242d295088430fad1ee29c46e1f1e33cc5eff5e80470e4cbcc6b511af2f982ebb827a72796457