Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:32
Static task
static1
Behavioral task
behavioral1
Sample
0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe
Resource
win10v2004-en-20220112
General
-
Target
0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe
-
Size
36KB
-
MD5
58b85fe202bd721279e3c949a768d001
-
SHA1
ffade5ca25c2b345143d139cfc6b525b99ea7491
-
SHA256
0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2
-
SHA512
ca2f2d0e1517dead1a5a7f363525e211fa48051eed6482b26b588179b4ab530626f30186233e9e199ad43ef2abf419643969c5de9ffb360711791ea6bdf5cd52
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1668 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exepid process 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exedescription pid process Token: SeIncBasePriorityPrivilege 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe MediaCenter.exe PID 956 wrote to memory of 1668 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe cmd.exe PID 956 wrote to memory of 1668 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe cmd.exe PID 956 wrote to memory of 1668 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe cmd.exe PID 956 wrote to memory of 1668 956 0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe cmd.exe PID 1668 wrote to memory of 1036 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1036 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1036 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1036 1668 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe"C:\Users\Admin\AppData\Local\Temp\0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fb541e92b7601f6afbc63183dd753cdd57c0bf83c6f910cc66c55a2838ddcb2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f7d17c764db78598dd4dbd8a3a35ec89
SHA1ad2e38a0045ea0a7584663736ce116d0134cfd70
SHA256cd4e7a21dea34ed9f25a5e14537a9189772aa515e140c636690cb10d580cb951
SHA51286e124a63a9dc6dc7601648804bce5fc61a9f45ede9be05ff3bc1abb7a2dde7ec83a00fb8c4c80b80f9bf588028dd26ee2a3a7da44ddbffe074a2b68af046907
-
MD5
f7d17c764db78598dd4dbd8a3a35ec89
SHA1ad2e38a0045ea0a7584663736ce116d0134cfd70
SHA256cd4e7a21dea34ed9f25a5e14537a9189772aa515e140c636690cb10d580cb951
SHA51286e124a63a9dc6dc7601648804bce5fc61a9f45ede9be05ff3bc1abb7a2dde7ec83a00fb8c4c80b80f9bf588028dd26ee2a3a7da44ddbffe074a2b68af046907
-
MD5
f7d17c764db78598dd4dbd8a3a35ec89
SHA1ad2e38a0045ea0a7584663736ce116d0134cfd70
SHA256cd4e7a21dea34ed9f25a5e14537a9189772aa515e140c636690cb10d580cb951
SHA51286e124a63a9dc6dc7601648804bce5fc61a9f45ede9be05ff3bc1abb7a2dde7ec83a00fb8c4c80b80f9bf588028dd26ee2a3a7da44ddbffe074a2b68af046907