Analysis
-
max time kernel
148s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:44
Static task
static1
Behavioral task
behavioral1
Sample
0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe
Resource
win10v2004-en-20220112
General
-
Target
0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe
-
Size
35KB
-
MD5
b15e6b2f0a0108617f4c67d38bb4189c
-
SHA1
8e1a5e14c0e96d82be1e53b00c8e94bc513e0b65
-
SHA256
0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9
-
SHA512
84623967764d10af9319ab1d535d68829230640faf97ad8948edc46a1d1e7b854840ca03326300f99fc437d6862e7322ba60c6f7c6aa868eccc6918a618dbe44
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1204 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1708 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exepid process 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exedescription pid process Token: SeIncBasePriorityPrivilege 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.execmd.exedescription pid process target process PID 1180 wrote to memory of 1204 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe MediaCenter.exe PID 1180 wrote to memory of 1708 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe cmd.exe PID 1180 wrote to memory of 1708 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe cmd.exe PID 1180 wrote to memory of 1708 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe cmd.exe PID 1180 wrote to memory of 1708 1180 0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe cmd.exe PID 1708 wrote to memory of 1012 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 1012 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 1012 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 1012 1708 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe"C:\Users\Admin\AppData\Local\Temp\0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f12374a44a3f27f5999149c608bf121027d64dcc54fd73552f6888d65304ed9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f02c6540275c9a9702d59a3d3f7c4c13
SHA1d89fb1902a66892ab91dc6d97ce9c00819132f7a
SHA2568d927116a7ccb67dec7a07a8080c32a62d3e28eee3551f3a22449736285e3097
SHA512243661f2f972740c94ee3ee2af3ae94ceea7c435df9e3671af6fffaf7ce6f7f55fb98fec806df2eb7d216f2a6d2b23ac824479f0c785cc1b75c4fc4e2fd57f50
-
MD5
f02c6540275c9a9702d59a3d3f7c4c13
SHA1d89fb1902a66892ab91dc6d97ce9c00819132f7a
SHA2568d927116a7ccb67dec7a07a8080c32a62d3e28eee3551f3a22449736285e3097
SHA512243661f2f972740c94ee3ee2af3ae94ceea7c435df9e3671af6fffaf7ce6f7f55fb98fec806df2eb7d216f2a6d2b23ac824479f0c785cc1b75c4fc4e2fd57f50
-
MD5
f02c6540275c9a9702d59a3d3f7c4c13
SHA1d89fb1902a66892ab91dc6d97ce9c00819132f7a
SHA2568d927116a7ccb67dec7a07a8080c32a62d3e28eee3551f3a22449736285e3097
SHA512243661f2f972740c94ee3ee2af3ae94ceea7c435df9e3671af6fffaf7ce6f7f55fb98fec806df2eb7d216f2a6d2b23ac824479f0c785cc1b75c4fc4e2fd57f50