Analysis
-
max time kernel
128s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:24
Static task
static1
Behavioral task
behavioral1
Sample
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe
Resource
win10v2004-en-20220113
General
-
Target
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe
-
Size
36KB
-
MD5
4c7f8abdd3b67a73d556955f98b5b534
-
SHA1
c49b907216a8efe23a5b0426a458738f9574ab08
-
SHA256
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74
-
SHA512
c619402fc4f5509cea1471cd64323fc18a210a02d8ea04ac5d2fa278c10b1ae5a9611747dde102009c368a0b2433856e4cde5ca338a2bb60727d7a7eb6b098c9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1160 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 336 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exepid process 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.execmd.exedescription pid process target process PID 1672 wrote to memory of 1160 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe MediaCenter.exe PID 1672 wrote to memory of 336 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe cmd.exe PID 1672 wrote to memory of 336 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe cmd.exe PID 1672 wrote to memory of 336 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe cmd.exe PID 1672 wrote to memory of 336 1672 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe cmd.exe PID 336 wrote to memory of 788 336 cmd.exe PING.EXE PID 336 wrote to memory of 788 336 cmd.exe PING.EXE PID 336 wrote to memory of 788 336 cmd.exe PING.EXE PID 336 wrote to memory of 788 336 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe"C:\Users\Admin\AppData\Local\Temp\0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a24881e851bc210fe20cc8df9239a1e6
SHA167b182d1f93fbbb5a9cf6e94520c4eddf2b5282c
SHA256d8909487eeaf034a1debd162bb38bc37abbd3c9357ab47035acddccfecc5cfc5
SHA5128e0d5502a0d89ea9d6b8dd375f823396d465b196d53b26a7f35f106186e48e4e25d2682f442019e06c818b2166ba24a8f509f112e6ee705f941b6b6e17b0249b
-
MD5
a24881e851bc210fe20cc8df9239a1e6
SHA167b182d1f93fbbb5a9cf6e94520c4eddf2b5282c
SHA256d8909487eeaf034a1debd162bb38bc37abbd3c9357ab47035acddccfecc5cfc5
SHA5128e0d5502a0d89ea9d6b8dd375f823396d465b196d53b26a7f35f106186e48e4e25d2682f442019e06c818b2166ba24a8f509f112e6ee705f941b6b6e17b0249b
-
MD5
a24881e851bc210fe20cc8df9239a1e6
SHA167b182d1f93fbbb5a9cf6e94520c4eddf2b5282c
SHA256d8909487eeaf034a1debd162bb38bc37abbd3c9357ab47035acddccfecc5cfc5
SHA5128e0d5502a0d89ea9d6b8dd375f823396d465b196d53b26a7f35f106186e48e4e25d2682f442019e06c818b2166ba24a8f509f112e6ee705f941b6b6e17b0249b