Analysis
-
max time kernel
122s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:26
Static task
static1
Behavioral task
behavioral1
Sample
0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe
Resource
win10v2004-en-20220112
General
-
Target
0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe
-
Size
36KB
-
MD5
5ca52239338e20b6eaea43c925f007a9
-
SHA1
f12b521dda832ef822a010841e09e538c02c1b25
-
SHA256
0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10
-
SHA512
aabd779b2e59f794e24a8fe8e9d8f384c37b399d5aae64fbc96839ffd6748068a1ff6a4a9f400695883fcbb26354e0caf6a5baa2cd50fca812773fddcb716206
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1796 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 364 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exepid process 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exedescription pid process Token: SeIncBasePriorityPrivilege 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.execmd.exedescription pid process target process PID 1184 wrote to memory of 1796 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe MediaCenter.exe PID 1184 wrote to memory of 1796 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe MediaCenter.exe PID 1184 wrote to memory of 1796 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe MediaCenter.exe PID 1184 wrote to memory of 1796 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe MediaCenter.exe PID 1184 wrote to memory of 364 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe cmd.exe PID 1184 wrote to memory of 364 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe cmd.exe PID 1184 wrote to memory of 364 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe cmd.exe PID 1184 wrote to memory of 364 1184 0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe cmd.exe PID 364 wrote to memory of 752 364 cmd.exe PING.EXE PID 364 wrote to memory of 752 364 cmd.exe PING.EXE PID 364 wrote to memory of 752 364 cmd.exe PING.EXE PID 364 wrote to memory of 752 364 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe"C:\Users\Admin\AppData\Local\Temp\0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d8efc1a59fbd70f61afe9664fa90b75c7817596b71cf8fbf9d9171c00b1ee10.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2253bc55c224c2f84bbaf3088d408f08
SHA19ee22070447f96ca90a14641f01130bb595a4e07
SHA2566ae8c1d1cc90cd8727d7a59c90b8febb91f078906f1cf718a4ea681f7e1e1f3b
SHA512049839277e8e44b4a62eaa8b03f1d7698e68e2d48d0286b796cfb9f2159bca3e922cf9e9eb2982a9a17e5b882174575e74c511d56e6d57d0fd6f81068f507e37
-
MD5
2253bc55c224c2f84bbaf3088d408f08
SHA19ee22070447f96ca90a14641f01130bb595a4e07
SHA2566ae8c1d1cc90cd8727d7a59c90b8febb91f078906f1cf718a4ea681f7e1e1f3b
SHA512049839277e8e44b4a62eaa8b03f1d7698e68e2d48d0286b796cfb9f2159bca3e922cf9e9eb2982a9a17e5b882174575e74c511d56e6d57d0fd6f81068f507e37
-
MD5
2253bc55c224c2f84bbaf3088d408f08
SHA19ee22070447f96ca90a14641f01130bb595a4e07
SHA2566ae8c1d1cc90cd8727d7a59c90b8febb91f078906f1cf718a4ea681f7e1e1f3b
SHA512049839277e8e44b4a62eaa8b03f1d7698e68e2d48d0286b796cfb9f2159bca3e922cf9e9eb2982a9a17e5b882174575e74c511d56e6d57d0fd6f81068f507e37