Analysis
-
max time kernel
146s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:40
Static task
static1
Behavioral task
behavioral1
Sample
0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe
Resource
win10v2004-en-20220112
General
-
Target
0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe
-
Size
36KB
-
MD5
be3dab666b42f384fa55ea183a0fbffb
-
SHA1
00e9e65b526dc1692ef03c44c42ae447bd878125
-
SHA256
0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde
-
SHA512
66e6e8b1eb5671e80c3888670ea91a2972df5a50ba691d631fa7f48a26e76c0c8dc187f8ae9d0fb6e3cd1960047f855c5eddabea45470a04848e765c4f67c902
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 620 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exepid process 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exedescription pid process Token: SeIncBasePriorityPrivilege 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.execmd.exedescription pid process target process PID 1520 wrote to memory of 1528 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe MediaCenter.exe PID 1520 wrote to memory of 620 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe cmd.exe PID 1520 wrote to memory of 620 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe cmd.exe PID 1520 wrote to memory of 620 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe cmd.exe PID 1520 wrote to memory of 620 1520 0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe cmd.exe PID 620 wrote to memory of 1156 620 cmd.exe PING.EXE PID 620 wrote to memory of 1156 620 cmd.exe PING.EXE PID 620 wrote to memory of 1156 620 cmd.exe PING.EXE PID 620 wrote to memory of 1156 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe"C:\Users\Admin\AppData\Local\Temp\0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f4df7c13737ffcbf9ffda0868a995db9419ee2fa4f249fef5d1525221e2fbde.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cef77b92a5786ad8bc07a34e854b1d02
SHA11ac06d8457f92397e85e173fc8b8f58ad46aaa2e
SHA2560d00436099344f05753c697adcedc929be54c61aad00bbe8524efc38b54f5409
SHA512b3fd12a371a6063d003f5d6d356119b298497f813c58caa38a182ea6dfea1921a9b7402a2944b86c7f45b29bdce9e4dd0f57898bbbc649b191b768e8622318d3
-
MD5
cef77b92a5786ad8bc07a34e854b1d02
SHA11ac06d8457f92397e85e173fc8b8f58ad46aaa2e
SHA2560d00436099344f05753c697adcedc929be54c61aad00bbe8524efc38b54f5409
SHA512b3fd12a371a6063d003f5d6d356119b298497f813c58caa38a182ea6dfea1921a9b7402a2944b86c7f45b29bdce9e4dd0f57898bbbc649b191b768e8622318d3
-
MD5
cef77b92a5786ad8bc07a34e854b1d02
SHA11ac06d8457f92397e85e173fc8b8f58ad46aaa2e
SHA2560d00436099344f05753c697adcedc929be54c61aad00bbe8524efc38b54f5409
SHA512b3fd12a371a6063d003f5d6d356119b298497f813c58caa38a182ea6dfea1921a9b7402a2944b86c7f45b29bdce9e4dd0f57898bbbc649b191b768e8622318d3