Analysis
-
max time kernel
140s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:31
Static task
static1
Behavioral task
behavioral1
Sample
0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe
Resource
win10v2004-en-20220113
General
-
Target
0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe
-
Size
60KB
-
MD5
f28defa349e74c6040c0a9c528a2525d
-
SHA1
317e91a3817b71e4cce42f776208b1677b804e3b
-
SHA256
0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31
-
SHA512
33428ccb47f181fbf0b32d032220854612886ba98a720527d04f27ae9abaa5d6803b42cef12a885c0d97e5baacc5520e45db2ea8a8f2279e2f4284746f50d837
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1636 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exepid process 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.execmd.exedescription pid process target process PID 1588 wrote to memory of 1664 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe MediaCenter.exe PID 1588 wrote to memory of 1636 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe cmd.exe PID 1588 wrote to memory of 1636 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe cmd.exe PID 1588 wrote to memory of 1636 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe cmd.exe PID 1588 wrote to memory of 1636 1588 0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe cmd.exe PID 1636 wrote to memory of 896 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 896 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 896 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 896 1636 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe"C:\Users\Admin\AppData\Local\Temp\0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fc387edb33cc4f0e9e7a1eec60ffebb19e32d8355a4f92a8799d1d129f55e31.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7ea61e6f78bd855b0eb550eabe5ce241
SHA1098575a90c698776b81ffff304d89478fb2db790
SHA256541325d0a2ba0e653bffacdac2991f970d893de91928de5cf5d7d03720f4d139
SHA512af90a72247c939b75aa96cc61350f0b0835de5e917b3ad8929c8088c7a206ede19581c5a35a400eedd4fbe075ffeb196c787946525d12cb32ab79dce3fb98a37
-
MD5
7ea61e6f78bd855b0eb550eabe5ce241
SHA1098575a90c698776b81ffff304d89478fb2db790
SHA256541325d0a2ba0e653bffacdac2991f970d893de91928de5cf5d7d03720f4d139
SHA512af90a72247c939b75aa96cc61350f0b0835de5e917b3ad8929c8088c7a206ede19581c5a35a400eedd4fbe075ffeb196c787946525d12cb32ab79dce3fb98a37
-
MD5
7ea61e6f78bd855b0eb550eabe5ce241
SHA1098575a90c698776b81ffff304d89478fb2db790
SHA256541325d0a2ba0e653bffacdac2991f970d893de91928de5cf5d7d03720f4d139
SHA512af90a72247c939b75aa96cc61350f0b0835de5e917b3ad8929c8088c7a206ede19581c5a35a400eedd4fbe075ffeb196c787946525d12cb32ab79dce3fb98a37