Analysis
-
max time kernel
147s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe
Resource
win10v2004-en-20220113
General
-
Target
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe
-
Size
36KB
-
MD5
f7e1c5bc2f865c8eca74bc47622149ad
-
SHA1
c9dc62e8961b976f9be1941ce31063dd5c38a72a
-
SHA256
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449
-
SHA512
9f4bbd20a5e6d33ef593bb3e468733ac3b0cfc33b26c48a3d65cfff8178dff4e0ac71fd76bc5722733dc0fa9c83b6270df832cae2a931a16ca55c2182161143c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1296 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exepid process 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exedescription pid process Token: SeIncBasePriorityPrivilege 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.execmd.exedescription pid process target process PID 288 wrote to memory of 520 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe MediaCenter.exe PID 288 wrote to memory of 520 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe MediaCenter.exe PID 288 wrote to memory of 520 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe MediaCenter.exe PID 288 wrote to memory of 520 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe MediaCenter.exe PID 288 wrote to memory of 1296 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe cmd.exe PID 288 wrote to memory of 1296 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe cmd.exe PID 288 wrote to memory of 1296 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe cmd.exe PID 288 wrote to memory of 1296 288 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe cmd.exe PID 1296 wrote to memory of 1488 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 1488 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 1488 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 1488 1296 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe"C:\Users\Admin\AppData\Local\Temp\0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
41b2e575364a8f358c346c71d05fbe70
SHA1407e63ada0f193de154d4dda4083fba28671da6f
SHA256be8b81e3d4bcd466e755016caeba60f69708615a22fdc334b32f46959303f51f
SHA512e3ef8dbc7767f5742f82c3a558cdd0387fdf370f95dcf29941bbf6750293c5b5d990aaa918ba03056b397e21a3a84bd9300ba6192825f560e30a21607b44ae69
-
MD5
41b2e575364a8f358c346c71d05fbe70
SHA1407e63ada0f193de154d4dda4083fba28671da6f
SHA256be8b81e3d4bcd466e755016caeba60f69708615a22fdc334b32f46959303f51f
SHA512e3ef8dbc7767f5742f82c3a558cdd0387fdf370f95dcf29941bbf6750293c5b5d990aaa918ba03056b397e21a3a84bd9300ba6192825f560e30a21607b44ae69
-
MD5
41b2e575364a8f358c346c71d05fbe70
SHA1407e63ada0f193de154d4dda4083fba28671da6f
SHA256be8b81e3d4bcd466e755016caeba60f69708615a22fdc334b32f46959303f51f
SHA512e3ef8dbc7767f5742f82c3a558cdd0387fdf370f95dcf29941bbf6750293c5b5d990aaa918ba03056b397e21a3a84bd9300ba6192825f560e30a21607b44ae69