Analysis
-
max time kernel
119s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:34
Static task
static1
Behavioral task
behavioral1
Sample
0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe
Resource
win10v2004-en-20220113
General
-
Target
0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe
-
Size
60KB
-
MD5
d655b6be19e4a1d83168785cbeafe856
-
SHA1
5e5364b4fb28ada1cb6af60dd67c05d58efd0298
-
SHA256
0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13
-
SHA512
50229ab78d329db12bbe6e1915b73d2ec00402b75e21bb0e6a2f9ad99a10527682bbd860235902aa48a094cb4e718f607808564b7fad75f3872b90b6d2668ab1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 536 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exepid process 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exedescription pid process Token: SeIncBasePriorityPrivilege 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.execmd.exedescription pid process target process PID 1616 wrote to memory of 1472 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe MediaCenter.exe PID 1616 wrote to memory of 536 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe cmd.exe PID 1616 wrote to memory of 536 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe cmd.exe PID 1616 wrote to memory of 536 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe cmd.exe PID 1616 wrote to memory of 536 1616 0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe cmd.exe PID 536 wrote to memory of 1552 536 cmd.exe PING.EXE PID 536 wrote to memory of 1552 536 cmd.exe PING.EXE PID 536 wrote to memory of 1552 536 cmd.exe PING.EXE PID 536 wrote to memory of 1552 536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe"C:\Users\Admin\AppData\Local\Temp\0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f9a6c89e7c68aa819d77239f06d020f8fbd7068145cc66f51298f45f53ccf13.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2b5172778191975ce053f9a87d4c8bf2
SHA1239fc1fc36b0b24195553d3f843422ec9b294359
SHA256c70e7dbbd652eaf9d4ea5f4c5a3bf4fbc54507474f96513e8815674994e572f4
SHA5129b20691d9dde7b2617850c0fb4a02b4e54acc5d629efe22d672bf29be5d1ee8355c052f2c7deacad44f82d7ff7d99f1c96d50da52a152d4e6ad6f8fddbb33b64
-
MD5
2b5172778191975ce053f9a87d4c8bf2
SHA1239fc1fc36b0b24195553d3f843422ec9b294359
SHA256c70e7dbbd652eaf9d4ea5f4c5a3bf4fbc54507474f96513e8815674994e572f4
SHA5129b20691d9dde7b2617850c0fb4a02b4e54acc5d629efe22d672bf29be5d1ee8355c052f2c7deacad44f82d7ff7d99f1c96d50da52a152d4e6ad6f8fddbb33b64
-
MD5
2b5172778191975ce053f9a87d4c8bf2
SHA1239fc1fc36b0b24195553d3f843422ec9b294359
SHA256c70e7dbbd652eaf9d4ea5f4c5a3bf4fbc54507474f96513e8815674994e572f4
SHA5129b20691d9dde7b2617850c0fb4a02b4e54acc5d629efe22d672bf29be5d1ee8355c052f2c7deacad44f82d7ff7d99f1c96d50da52a152d4e6ad6f8fddbb33b64