Analysis
-
max time kernel
122s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe
Resource
win10v2004-en-20220113
General
-
Target
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe
-
Size
36KB
-
MD5
75c7d6904f37378e16f8b11a51919a0b
-
SHA1
60ab256e7c6e13812858ac55b4362d16cff82f5e
-
SHA256
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702
-
SHA512
32540a86ccb5e84f669b3de3cdad83b1b3adeedc97622157c0194312ec457ca3cb90530d5951308f0ec9ade1d7d4124b9eba9dbd7dbff966189a4804f65fb6d5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 864 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exepid process 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exedescription pid process Token: SeIncBasePriorityPrivilege 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.execmd.exedescription pid process target process PID 1284 wrote to memory of 864 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe MediaCenter.exe PID 1284 wrote to memory of 864 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe MediaCenter.exe PID 1284 wrote to memory of 864 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe MediaCenter.exe PID 1284 wrote to memory of 864 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe MediaCenter.exe PID 1284 wrote to memory of 1984 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe cmd.exe PID 1284 wrote to memory of 1984 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe cmd.exe PID 1284 wrote to memory of 1984 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe cmd.exe PID 1284 wrote to memory of 1984 1284 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe cmd.exe PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe"C:\Users\Admin\AppData\Local\Temp\0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
812a375bc0fdad25fba1d8222a5eaf3b
SHA14e8c84aa248769b8847624ca5b41d2405e69bf07
SHA256139d3e8ef7509e453209ba05605eb0c85ff8e9bd68580354b75d3e227effa731
SHA512347282bb8c386abe222468ed8ebc325909dacaa80b5e607be8be2e436e5af47d6ae1d821c8fa714653a2ce9804b29cd3275bd880ae568e9cc2f47c6c4a235138
-
MD5
812a375bc0fdad25fba1d8222a5eaf3b
SHA14e8c84aa248769b8847624ca5b41d2405e69bf07
SHA256139d3e8ef7509e453209ba05605eb0c85ff8e9bd68580354b75d3e227effa731
SHA512347282bb8c386abe222468ed8ebc325909dacaa80b5e607be8be2e436e5af47d6ae1d821c8fa714653a2ce9804b29cd3275bd880ae568e9cc2f47c6c4a235138
-
MD5
812a375bc0fdad25fba1d8222a5eaf3b
SHA14e8c84aa248769b8847624ca5b41d2405e69bf07
SHA256139d3e8ef7509e453209ba05605eb0c85ff8e9bd68580354b75d3e227effa731
SHA512347282bb8c386abe222468ed8ebc325909dacaa80b5e607be8be2e436e5af47d6ae1d821c8fa714653a2ce9804b29cd3275bd880ae568e9cc2f47c6c4a235138