Analysis
-
max time kernel
149s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/02/2022, 06:38
Static task
static1
Behavioral task
behavioral1
Sample
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe
Resource
win10v2004-en-20220112
General
-
Target
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe
-
Size
35KB
-
MD5
8ed4bbe4c71b9012b4f805619e68bd49
-
SHA1
91faeb75d8db34fc8a6512d41cccf00bcd250405
-
SHA256
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f
-
SHA512
9fd940452e1bd8d32910e1a825e3f2289a5457861a6237da03098003611724a175ece2054c51efa15a17d1112ccdbfc0737595a1825dffdab28509bacf3fcf4e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 660 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 1284 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 964 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1924 wrote to memory of 660 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 27 PID 1924 wrote to memory of 660 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 27 PID 1924 wrote to memory of 660 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 27 PID 1924 wrote to memory of 660 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 27 PID 1924 wrote to memory of 1284 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 30 PID 1924 wrote to memory of 1284 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 30 PID 1924 wrote to memory of 1284 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 30 PID 1924 wrote to memory of 1284 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 30 PID 1284 wrote to memory of 964 1284 cmd.exe 32 PID 1284 wrote to memory of 964 1284 cmd.exe 32 PID 1284 wrote to memory of 964 1284 cmd.exe 32 PID 1284 wrote to memory of 964 1284 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe"C:\Users\Admin\AppData\Local\Temp\0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:660
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:964
-
-