Analysis
-
max time kernel
147s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:26
Static task
static1
Behavioral task
behavioral1
Sample
0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe
Resource
win10v2004-en-20220113
General
-
Target
0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe
-
Size
60KB
-
MD5
728e8d293a336d94011f1ac2a2ace865
-
SHA1
0508ddcfa642c0ce44235bec7d1da876b272be5a
-
SHA256
0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32
-
SHA512
9a2a98c0250edf76c051f3a1e966bec7306af2fd39eca067933af3ed87e53c3dc5647430fbdba8b3f0d9ef7c2c9b2f6d001b1158ac5de4f4041614beef90b269
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exepid process 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.execmd.exedescription pid process target process PID 1684 wrote to memory of 1892 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe MediaCenter.exe PID 1684 wrote to memory of 1892 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe MediaCenter.exe PID 1684 wrote to memory of 1892 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe MediaCenter.exe PID 1684 wrote to memory of 1892 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe MediaCenter.exe PID 1684 wrote to memory of 396 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe cmd.exe PID 1684 wrote to memory of 396 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe cmd.exe PID 1684 wrote to memory of 396 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe cmd.exe PID 1684 wrote to memory of 396 1684 0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe cmd.exe PID 396 wrote to memory of 1144 396 cmd.exe PING.EXE PID 396 wrote to memory of 1144 396 cmd.exe PING.EXE PID 396 wrote to memory of 1144 396 cmd.exe PING.EXE PID 396 wrote to memory of 1144 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe"C:\Users\Admin\AppData\Local\Temp\0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d95e8f9b684be9c52ea187b754a28d7f3eb651d2590988a22b29177dff19b32.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e09cab97eeece5c9db01d0de3904a117
SHA16264dd82f24d06868a96fa2deaac24dd96e4810c
SHA256a4505369da4197cf5b133f04c6fae69cc817ba125a870a0ba23434e367462905
SHA512338c702d2a2f7a3ecc1c60b995d082df092c2afa2dbaedcfdcfcb362895cbb186556858e49cdd33526e8cc05de028f862beabcdc85aa7994d1f09a49b95874bf
-
MD5
e09cab97eeece5c9db01d0de3904a117
SHA16264dd82f24d06868a96fa2deaac24dd96e4810c
SHA256a4505369da4197cf5b133f04c6fae69cc817ba125a870a0ba23434e367462905
SHA512338c702d2a2f7a3ecc1c60b995d082df092c2afa2dbaedcfdcfcb362895cbb186556858e49cdd33526e8cc05de028f862beabcdc85aa7994d1f09a49b95874bf
-
MD5
e09cab97eeece5c9db01d0de3904a117
SHA16264dd82f24d06868a96fa2deaac24dd96e4810c
SHA256a4505369da4197cf5b133f04c6fae69cc817ba125a870a0ba23434e367462905
SHA512338c702d2a2f7a3ecc1c60b995d082df092c2afa2dbaedcfdcfcb362895cbb186556858e49cdd33526e8cc05de028f862beabcdc85aa7994d1f09a49b95874bf