Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:42
Static task
static1
Behavioral task
behavioral1
Sample
0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe
Resource
win10v2004-en-20220112
General
-
Target
0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe
-
Size
58KB
-
MD5
9dc85ad921fac13d4b28958fdea8f95e
-
SHA1
c70d1277fa130adae21f0581112391843c6b8e65
-
SHA256
0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01
-
SHA512
a6644ee7227e22230bae92a34a0fc096aaa103fcd636004a5847b5c8f139186f3be8a47545b9e15fb3c337165b606e0c2d270333bac074ad8b5224218e7f28c5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 968 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exepid process 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exedescription pid process Token: SeIncBasePriorityPrivilege 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.execmd.exedescription pid process target process PID 1580 wrote to memory of 1620 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe MediaCenter.exe PID 1580 wrote to memory of 968 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe cmd.exe PID 1580 wrote to memory of 968 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe cmd.exe PID 1580 wrote to memory of 968 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe cmd.exe PID 1580 wrote to memory of 968 1580 0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe cmd.exe PID 968 wrote to memory of 1152 968 cmd.exe PING.EXE PID 968 wrote to memory of 1152 968 cmd.exe PING.EXE PID 968 wrote to memory of 1152 968 cmd.exe PING.EXE PID 968 wrote to memory of 1152 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe"C:\Users\Admin\AppData\Local\Temp\0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f2e2d76510cf8f0801832d04aa1f384a23b6da8c9ba3d27c450eb7a86bdbe01.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fe5fd88f1c92fa85714a240feca11183
SHA104315ab0f9e987235b3eaf31321915b490afaba6
SHA256d23828bdaccbeba56087c765b421777b7366fae020da0f005ffec6633f95ccef
SHA512db1c5186ae489b5db48163319994594afa5bcb721effffa152f3c3bb6c41013fd386a818ce11042953a4f7ca98e052042c8e4a9dbeea2df08631e200685a7abc
-
MD5
fe5fd88f1c92fa85714a240feca11183
SHA104315ab0f9e987235b3eaf31321915b490afaba6
SHA256d23828bdaccbeba56087c765b421777b7366fae020da0f005ffec6633f95ccef
SHA512db1c5186ae489b5db48163319994594afa5bcb721effffa152f3c3bb6c41013fd386a818ce11042953a4f7ca98e052042c8e4a9dbeea2df08631e200685a7abc
-
MD5
fe5fd88f1c92fa85714a240feca11183
SHA104315ab0f9e987235b3eaf31321915b490afaba6
SHA256d23828bdaccbeba56087c765b421777b7366fae020da0f005ffec6633f95ccef
SHA512db1c5186ae489b5db48163319994594afa5bcb721effffa152f3c3bb6c41013fd386a818ce11042953a4f7ca98e052042c8e4a9dbeea2df08631e200685a7abc