Analysis
-
max time kernel
142s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe
Resource
win10v2004-en-20220113
General
-
Target
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe
-
Size
36KB
-
MD5
b2cb417feda9690a22b6b5254f14ada3
-
SHA1
34d3be7767a24056c93073f18387598f89c24bc6
-
SHA256
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8
-
SHA512
67f677a38de6a0e99304334573b2d04c397d31295b3726d69aa90c6c9782bb2ccbe0508add12d67718a812e372c3172764d2eb2d827b4c3c8ef72c2d38bc6afc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1848 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exepid process 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.execmd.exedescription pid process target process PID 1592 wrote to memory of 1916 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe MediaCenter.exe PID 1592 wrote to memory of 1916 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe MediaCenter.exe PID 1592 wrote to memory of 1916 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe MediaCenter.exe PID 1592 wrote to memory of 1916 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe MediaCenter.exe PID 1592 wrote to memory of 1848 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe cmd.exe PID 1592 wrote to memory of 1848 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe cmd.exe PID 1592 wrote to memory of 1848 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe cmd.exe PID 1592 wrote to memory of 1848 1592 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe cmd.exe PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe"C:\Users\Admin\AppData\Local\Temp\0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c0f7fc746883a0c17a39b6f974065b90
SHA1023fc9b3b03dcf0062206bd0d6d57ba35227b9a4
SHA256db02177b1b22cff01ad34510ddce8d95651e8b7996094df9a9f823bba03355ed
SHA5126859b66cf28d461c12a7a5e65d480241c5b5a7a4cef94081fc0561623201c7923eef48aec47217bcce1b80c03d78f03854e0905656503f07b774b7db938fef4b
-
MD5
c0f7fc746883a0c17a39b6f974065b90
SHA1023fc9b3b03dcf0062206bd0d6d57ba35227b9a4
SHA256db02177b1b22cff01ad34510ddce8d95651e8b7996094df9a9f823bba03355ed
SHA5126859b66cf28d461c12a7a5e65d480241c5b5a7a4cef94081fc0561623201c7923eef48aec47217bcce1b80c03d78f03854e0905656503f07b774b7db938fef4b
-
MD5
c0f7fc746883a0c17a39b6f974065b90
SHA1023fc9b3b03dcf0062206bd0d6d57ba35227b9a4
SHA256db02177b1b22cff01ad34510ddce8d95651e8b7996094df9a9f823bba03355ed
SHA5126859b66cf28d461c12a7a5e65d480241c5b5a7a4cef94081fc0561623201c7923eef48aec47217bcce1b80c03d78f03854e0905656503f07b774b7db938fef4b