Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:42
Static task
static1
Behavioral task
behavioral1
Sample
0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe
Resource
win10v2004-en-20220113
General
-
Target
0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe
-
Size
36KB
-
MD5
a71554d01ff67e91e0fd422e800b2cb3
-
SHA1
2cf6b880e294b7a48c236d5e9ec0d3c6e3ba9d69
-
SHA256
0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94
-
SHA512
c05dc8762f3a5b5b9192ce8322fe670489d7f0a83c58ef8661ea6cbe92aabf7a8cc29f729742f3be76a7ad903b547bc110fe299309eed1af16e413eed3263013
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1084 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1648 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exepid process 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exedescription pid process Token: SeIncBasePriorityPrivilege 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.execmd.exedescription pid process target process PID 1096 wrote to memory of 1084 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe MediaCenter.exe PID 1096 wrote to memory of 1084 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe MediaCenter.exe PID 1096 wrote to memory of 1084 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe MediaCenter.exe PID 1096 wrote to memory of 1084 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe MediaCenter.exe PID 1096 wrote to memory of 1648 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe cmd.exe PID 1096 wrote to memory of 1648 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe cmd.exe PID 1096 wrote to memory of 1648 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe cmd.exe PID 1096 wrote to memory of 1648 1096 0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe cmd.exe PID 1648 wrote to memory of 1628 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1628 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1628 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1628 1648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe"C:\Users\Admin\AppData\Local\Temp\0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f34fbcd5a8ad2997e1cf7dfb8000c997ec152e1ec1396d5f01db265a9d54b94.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7022d3629e8daa607b871a87f780c0be
SHA1b3afbc50fa796ec556c1ba627d47d443d1e905c0
SHA256417bd2e121c92a387dd155d7b322c775f5ba157c26f1d089357530e36e9325d1
SHA5124cbae80fd4d1de2eaf1e98372eff65845187b6951003d317eeb38d420f0aa6e11d9968285e9366f3871e55ad7286d6c6a0fc0c1dbb4b4a0c0d7976d79f298ca9
-
MD5
7022d3629e8daa607b871a87f780c0be
SHA1b3afbc50fa796ec556c1ba627d47d443d1e905c0
SHA256417bd2e121c92a387dd155d7b322c775f5ba157c26f1d089357530e36e9325d1
SHA5124cbae80fd4d1de2eaf1e98372eff65845187b6951003d317eeb38d420f0aa6e11d9968285e9366f3871e55ad7286d6c6a0fc0c1dbb4b4a0c0d7976d79f298ca9
-
MD5
7022d3629e8daa607b871a87f780c0be
SHA1b3afbc50fa796ec556c1ba627d47d443d1e905c0
SHA256417bd2e121c92a387dd155d7b322c775f5ba157c26f1d089357530e36e9325d1
SHA5124cbae80fd4d1de2eaf1e98372eff65845187b6951003d317eeb38d420f0aa6e11d9968285e9366f3871e55ad7286d6c6a0fc0c1dbb4b4a0c0d7976d79f298ca9