Analysis
-
max time kernel
149s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:38
Static task
static1
Behavioral task
behavioral1
Sample
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe
Resource
win10v2004-en-20220112
General
-
Target
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe
-
Size
35KB
-
MD5
8ed4bbe4c71b9012b4f805619e68bd49
-
SHA1
91faeb75d8db34fc8a6512d41cccf00bcd250405
-
SHA256
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f
-
SHA512
9fd940452e1bd8d32910e1a825e3f2289a5457861a6237da03098003611724a175ece2054c51efa15a17d1112ccdbfc0737595a1825dffdab28509bacf3fcf4e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 660 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1284 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exepid process 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exedescription pid process Token: SeIncBasePriorityPrivilege 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.execmd.exedescription pid process target process PID 1924 wrote to memory of 660 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe MediaCenter.exe PID 1924 wrote to memory of 660 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe MediaCenter.exe PID 1924 wrote to memory of 660 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe MediaCenter.exe PID 1924 wrote to memory of 660 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe MediaCenter.exe PID 1924 wrote to memory of 1284 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe cmd.exe PID 1924 wrote to memory of 1284 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe cmd.exe PID 1924 wrote to memory of 1284 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe cmd.exe PID 1924 wrote to memory of 1284 1924 0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe cmd.exe PID 1284 wrote to memory of 964 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 964 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 964 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 964 1284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe"C:\Users\Admin\AppData\Local\Temp\0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f690f1394891d0dfac8da15b53f0b038d1edb5b70505362f2e0e36393099d9f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2ecccd901ec2eff08114d0cc91bd0e86
SHA113887e722d59ecda73721d86dc715970300e827b
SHA2565b21865be62b9f156be6162c1ff9c11320fd5b6b28105714045d67dd8d0b9e97
SHA51298366b3e8c102b31662169b4d5e2c4bbd8562af7a95121594cba83c2c5a5ec3ac906302c96b4b794807f2f1dccb588a5b8abdba35663a9df5319deaddd7ccea1
-
MD5
2ecccd901ec2eff08114d0cc91bd0e86
SHA113887e722d59ecda73721d86dc715970300e827b
SHA2565b21865be62b9f156be6162c1ff9c11320fd5b6b28105714045d67dd8d0b9e97
SHA51298366b3e8c102b31662169b4d5e2c4bbd8562af7a95121594cba83c2c5a5ec3ac906302c96b4b794807f2f1dccb588a5b8abdba35663a9df5319deaddd7ccea1
-
MD5
2ecccd901ec2eff08114d0cc91bd0e86
SHA113887e722d59ecda73721d86dc715970300e827b
SHA2565b21865be62b9f156be6162c1ff9c11320fd5b6b28105714045d67dd8d0b9e97
SHA51298366b3e8c102b31662169b4d5e2c4bbd8562af7a95121594cba83c2c5a5ec3ac906302c96b4b794807f2f1dccb588a5b8abdba35663a9df5319deaddd7ccea1