Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe
Resource
win10v2004-en-20220113
General
-
Target
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe
-
Size
36KB
-
MD5
36eeadbbbf07c3a3896db43cc1a60f91
-
SHA1
4141064204fed494d8b072294e8a120a993ba4c0
-
SHA256
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a
-
SHA512
fb4a67a3f34a06a538d449b4576fa5dedf6aae6dcfd8bdfc3bdc0eeb274b3ef2f6a9e3286db55b5ef64f6f948123fe1cc662f59b62256aa3bea4ddf7463426e3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1968 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exepid process 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exedescription pid process Token: SeIncBasePriorityPrivilege 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.execmd.exedescription pid process target process PID 320 wrote to memory of 588 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe MediaCenter.exe PID 320 wrote to memory of 588 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe MediaCenter.exe PID 320 wrote to memory of 588 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe MediaCenter.exe PID 320 wrote to memory of 588 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe MediaCenter.exe PID 320 wrote to memory of 1968 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe cmd.exe PID 320 wrote to memory of 1968 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe cmd.exe PID 320 wrote to memory of 1968 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe cmd.exe PID 320 wrote to memory of 1968 320 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe cmd.exe PID 1968 wrote to memory of 1540 1968 cmd.exe PING.EXE PID 1968 wrote to memory of 1540 1968 cmd.exe PING.EXE PID 1968 wrote to memory of 1540 1968 cmd.exe PING.EXE PID 1968 wrote to memory of 1540 1968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe"C:\Users\Admin\AppData\Local\Temp\0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
805c08e80980e3360f0d04e0b80e3d50
SHA1c64508670e038ec1d3b08caaab61656d279b17b3
SHA2562aa7519fb1da08111ec7941594a645e8c3e30b4e3a1499e3003ffc9cef4f9b9f
SHA51294fd1a0f1b7265948ebdd84cd89845c7fc639fe72ebf20c5498dadc32df54937da918b2ea4aa2bf7dcd117eb0992a7396382fd001267b7d966b2a5ef16d665d0
-
MD5
805c08e80980e3360f0d04e0b80e3d50
SHA1c64508670e038ec1d3b08caaab61656d279b17b3
SHA2562aa7519fb1da08111ec7941594a645e8c3e30b4e3a1499e3003ffc9cef4f9b9f
SHA51294fd1a0f1b7265948ebdd84cd89845c7fc639fe72ebf20c5498dadc32df54937da918b2ea4aa2bf7dcd117eb0992a7396382fd001267b7d966b2a5ef16d665d0
-
MD5
805c08e80980e3360f0d04e0b80e3d50
SHA1c64508670e038ec1d3b08caaab61656d279b17b3
SHA2562aa7519fb1da08111ec7941594a645e8c3e30b4e3a1499e3003ffc9cef4f9b9f
SHA51294fd1a0f1b7265948ebdd84cd89845c7fc639fe72ebf20c5498dadc32df54937da918b2ea4aa2bf7dcd117eb0992a7396382fd001267b7d966b2a5ef16d665d0