Analysis
-
max time kernel
122s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe
Resource
win10v2004-en-20220113
General
-
Target
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe
-
Size
60KB
-
MD5
82b64f2a0fc8162f7eb27dd8aceef28e
-
SHA1
b229e8e9567aa09bb93cff460a7c12102562e459
-
SHA256
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90
-
SHA512
5fb8dbf911476fb0b83b00e975fa689aa82119437910ca5a3f7ad7b9b16d462e3c521d5700ec0a35662cae9859bb76b45b8f3832d2bab54a388a8ebe2bc56133
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1924 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exepid process 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.execmd.exedescription pid process target process PID 1568 wrote to memory of 1924 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe MediaCenter.exe PID 1568 wrote to memory of 392 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe cmd.exe PID 1568 wrote to memory of 392 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe cmd.exe PID 1568 wrote to memory of 392 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe cmd.exe PID 1568 wrote to memory of 392 1568 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe cmd.exe PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe"C:\Users\Admin\AppData\Local\Temp\0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2e2366d9e3370b8f6022d3399ed714e4
SHA1262dbd02abbbe5def46d54c98ab626a891f25c05
SHA256d7731dab715e58724dc60290b2627b2a39fddf6b261d380ccdf677ae0bb1a29d
SHA512be796f1dc336b5dd2c2dcaa7f778d435bc2977742f72967a3abe36c39c0db0f7f219e67f1951d360c512b8bcbfc4f9627bc758467699d35b77092fb0270cfb75
-
MD5
2e2366d9e3370b8f6022d3399ed714e4
SHA1262dbd02abbbe5def46d54c98ab626a891f25c05
SHA256d7731dab715e58724dc60290b2627b2a39fddf6b261d380ccdf677ae0bb1a29d
SHA512be796f1dc336b5dd2c2dcaa7f778d435bc2977742f72967a3abe36c39c0db0f7f219e67f1951d360c512b8bcbfc4f9627bc758467699d35b77092fb0270cfb75
-
MD5
2e2366d9e3370b8f6022d3399ed714e4
SHA1262dbd02abbbe5def46d54c98ab626a891f25c05
SHA256d7731dab715e58724dc60290b2627b2a39fddf6b261d380ccdf677ae0bb1a29d
SHA512be796f1dc336b5dd2c2dcaa7f778d435bc2977742f72967a3abe36c39c0db0f7f219e67f1951d360c512b8bcbfc4f9627bc758467699d35b77092fb0270cfb75