Analysis
-
max time kernel
127s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:40
Static task
static1
Behavioral task
behavioral1
Sample
0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe
Resource
win10v2004-en-20220113
General
-
Target
0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe
-
Size
36KB
-
MD5
76203e970cd44a054a2eef9366da8bcc
-
SHA1
0fabc3f43f6cb339d2131581dd42f0937b83ea43
-
SHA256
0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948
-
SHA512
b2c23bd35e282ecddc5f75dcd0f5769a4fc4f11a9ca1aa1cf45ef7d42ab0e18c359fe8b4d6640efb92e6236dab7ce22a56b43f33bf544042a822de79564b7b25
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exepid process 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exedescription pid process Token: SeIncBasePriorityPrivilege 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.execmd.exedescription pid process target process PID 960 wrote to memory of 1668 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe MediaCenter.exe PID 960 wrote to memory of 1812 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe cmd.exe PID 960 wrote to memory of 1812 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe cmd.exe PID 960 wrote to memory of 1812 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe cmd.exe PID 960 wrote to memory of 1812 960 0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe cmd.exe PID 1812 wrote to memory of 1292 1812 cmd.exe PING.EXE PID 1812 wrote to memory of 1292 1812 cmd.exe PING.EXE PID 1812 wrote to memory of 1292 1812 cmd.exe PING.EXE PID 1812 wrote to memory of 1292 1812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe"C:\Users\Admin\AppData\Local\Temp\0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f583e446acdf8493b5645bd8925563cf4a43ca69a1e0732bc3d613b1789f948.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b23b914c393ecb6d97bdc9a0dec57fd
SHA1b28e53781f285888299169d9951d7b0ee5547c8a
SHA256e253e9fd1a001163960113104158c4293102b71395cc5ff2d185362602a52f49
SHA512f1efd1e04b6813b58b92c5c133363f969fb9160351bb13dfbee0ffca2e34f21629981d5d8216e357d10e71b35ce78939b39b540783b7c165f1cf68c2c13389ee
-
MD5
6b23b914c393ecb6d97bdc9a0dec57fd
SHA1b28e53781f285888299169d9951d7b0ee5547c8a
SHA256e253e9fd1a001163960113104158c4293102b71395cc5ff2d185362602a52f49
SHA512f1efd1e04b6813b58b92c5c133363f969fb9160351bb13dfbee0ffca2e34f21629981d5d8216e357d10e71b35ce78939b39b540783b7c165f1cf68c2c13389ee
-
MD5
6b23b914c393ecb6d97bdc9a0dec57fd
SHA1b28e53781f285888299169d9951d7b0ee5547c8a
SHA256e253e9fd1a001163960113104158c4293102b71395cc5ff2d185362602a52f49
SHA512f1efd1e04b6813b58b92c5c133363f969fb9160351bb13dfbee0ffca2e34f21629981d5d8216e357d10e71b35ce78939b39b540783b7c165f1cf68c2c13389ee