Analysis
-
max time kernel
142s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:44
Static task
static1
Behavioral task
behavioral1
Sample
0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe
Resource
win10v2004-en-20220112
General
-
Target
0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe
-
Size
58KB
-
MD5
4e0d7fd491b0563794c1e7350476cd0c
-
SHA1
7769ab496149f16f2d48152af83d23b31590d3d2
-
SHA256
0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628
-
SHA512
b36efebcbc7f6cb178cf2d9727c2ecfec47f565a397d37d3292096b6c755c7c1dc747af57a64956c0c607ec748f6ee8042b0958a79277204f44893cbf97c0152
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 740 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exepid process 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exedescription pid process Token: SeIncBasePriorityPrivilege 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.execmd.exedescription pid process target process PID 1600 wrote to memory of 1316 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe MediaCenter.exe PID 1600 wrote to memory of 740 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe cmd.exe PID 1600 wrote to memory of 740 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe cmd.exe PID 1600 wrote to memory of 740 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe cmd.exe PID 1600 wrote to memory of 740 1600 0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe cmd.exe PID 740 wrote to memory of 1044 740 cmd.exe PING.EXE PID 740 wrote to memory of 1044 740 cmd.exe PING.EXE PID 740 wrote to memory of 1044 740 cmd.exe PING.EXE PID 740 wrote to memory of 1044 740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe"C:\Users\Admin\AppData\Local\Temp\0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f0f9c371839e65d2d6e6d9c2d8dda3e5704a5fbd4a9db012f766ff1e778a628.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a3b2d6b1931eea0753c7c819ac3bf7f2
SHA10cef84a7689944e057ef43a7bf265d073c78a857
SHA2565a649740a6a4ef6c4d8a2680557b960bc9398eadae9a0da562df1b4c28c91b66
SHA512b763033bcad38035da63605433c3202fadacff913ebea28a180a81c9ebce880c92a8a7386ce3d332cfb4c08de59d51f89db82126ce4fe0e89da31a0ae3c415cc
-
MD5
a3b2d6b1931eea0753c7c819ac3bf7f2
SHA10cef84a7689944e057ef43a7bf265d073c78a857
SHA2565a649740a6a4ef6c4d8a2680557b960bc9398eadae9a0da562df1b4c28c91b66
SHA512b763033bcad38035da63605433c3202fadacff913ebea28a180a81c9ebce880c92a8a7386ce3d332cfb4c08de59d51f89db82126ce4fe0e89da31a0ae3c415cc
-
MD5
a3b2d6b1931eea0753c7c819ac3bf7f2
SHA10cef84a7689944e057ef43a7bf265d073c78a857
SHA2565a649740a6a4ef6c4d8a2680557b960bc9398eadae9a0da562df1b4c28c91b66
SHA512b763033bcad38035da63605433c3202fadacff913ebea28a180a81c9ebce880c92a8a7386ce3d332cfb4c08de59d51f89db82126ce4fe0e89da31a0ae3c415cc