Analysis
-
max time kernel
121s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:45
Static task
static1
Behavioral task
behavioral1
Sample
0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe
Resource
win10v2004-en-20220113
General
-
Target
0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe
-
Size
36KB
-
MD5
b2b9b0cdaf750dab3c7a4a6c235c6b80
-
SHA1
a63d3697b2ebcb3d50239202521ae9b4d755e948
-
SHA256
0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f
-
SHA512
565af98b59970f1bfbba4eed9726f488a15bd53c0442f8a07ec2bd7ff097e2e3f20227a90f655a35905fbdcf3f237646a2049ca38d56e49506726376aa05784f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1552 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exepid process 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.execmd.exedescription pid process target process PID 1668 wrote to memory of 516 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe MediaCenter.exe PID 1668 wrote to memory of 516 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe MediaCenter.exe PID 1668 wrote to memory of 516 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe MediaCenter.exe PID 1668 wrote to memory of 516 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe MediaCenter.exe PID 1668 wrote to memory of 1552 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe cmd.exe PID 1668 wrote to memory of 1552 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe cmd.exe PID 1668 wrote to memory of 1552 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe cmd.exe PID 1668 wrote to memory of 1552 1668 0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe cmd.exe PID 1552 wrote to memory of 428 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 428 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 428 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 428 1552 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe"C:\Users\Admin\AppData\Local\Temp\0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f0f59a0e015681f99842e6e087ae400ec26d016faf86252ea5c935516c2c87f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1114ce1bebf165adeb4748af18031c6c
SHA134d75f3c295e3a75c7f4159645f8e8d81715e996
SHA256371b309fba6343e49928a3a4ff6be6a5f4f7cdaf3c39b1cee815dee0b9176621
SHA51284e73f3b3caf04f68efe3614cb9ef18ca80d1fec4090cf8a3ffbb83b20439d38ba24178fb63d196ad0f554b75207fb9ece477ecfadc741f9a93fb139892c0889
-
MD5
1114ce1bebf165adeb4748af18031c6c
SHA134d75f3c295e3a75c7f4159645f8e8d81715e996
SHA256371b309fba6343e49928a3a4ff6be6a5f4f7cdaf3c39b1cee815dee0b9176621
SHA51284e73f3b3caf04f68efe3614cb9ef18ca80d1fec4090cf8a3ffbb83b20439d38ba24178fb63d196ad0f554b75207fb9ece477ecfadc741f9a93fb139892c0889
-
MD5
1114ce1bebf165adeb4748af18031c6c
SHA134d75f3c295e3a75c7f4159645f8e8d81715e996
SHA256371b309fba6343e49928a3a4ff6be6a5f4f7cdaf3c39b1cee815dee0b9176621
SHA51284e73f3b3caf04f68efe3614cb9ef18ca80d1fec4090cf8a3ffbb83b20439d38ba24178fb63d196ad0f554b75207fb9ece477ecfadc741f9a93fb139892c0889