Analysis
-
max time kernel
122s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:29
Static task
static1
Behavioral task
behavioral1
Sample
0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe
Resource
win10v2004-en-20220113
General
-
Target
0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe
-
Size
36KB
-
MD5
71fa991a13afcf741c450bf05f992589
-
SHA1
faec377250577056db0a999029d5512a4c08c59f
-
SHA256
0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb
-
SHA512
49f8f7b1df04a6be29b8394454768386941a07d3600561c516640b34185b8e1ab38af96dfc324c65af78a03e2468ede588524248adcde24d3838dac8a4b71695
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1476 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exepid process 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exedescription pid process Token: SeIncBasePriorityPrivilege 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.execmd.exedescription pid process target process PID 1512 wrote to memory of 648 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe MediaCenter.exe PID 1512 wrote to memory of 648 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe MediaCenter.exe PID 1512 wrote to memory of 648 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe MediaCenter.exe PID 1512 wrote to memory of 648 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe MediaCenter.exe PID 1512 wrote to memory of 1476 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe cmd.exe PID 1512 wrote to memory of 1476 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe cmd.exe PID 1512 wrote to memory of 1476 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe cmd.exe PID 1512 wrote to memory of 1476 1512 0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe cmd.exe PID 1476 wrote to memory of 1820 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 1820 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 1820 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 1820 1476 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe"C:\Users\Admin\AppData\Local\Temp\0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d75a9dc34fd145ac9b3132d0edbdd30d80974f1224c42d6ce073a587e35e5fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
04bebb2a0359675ab322d52ddb2d3739
SHA198ec79d458fda635795be0adaa217063a5f9f95a
SHA256852d683cc10d83b0eb41c518d9a3471f76ad7359e7d3296ca88c7f83fddb1aae
SHA5129b8b5e70d1dfe674fa6e85c487fe7dbde367d7ffaa35602ae93b07407a5946fd150abb849cfef9e77c0e3723d0f1f353071ecb00b5a930e1cf6d13b57fa9dffb
-
MD5
04bebb2a0359675ab322d52ddb2d3739
SHA198ec79d458fda635795be0adaa217063a5f9f95a
SHA256852d683cc10d83b0eb41c518d9a3471f76ad7359e7d3296ca88c7f83fddb1aae
SHA5129b8b5e70d1dfe674fa6e85c487fe7dbde367d7ffaa35602ae93b07407a5946fd150abb849cfef9e77c0e3723d0f1f353071ecb00b5a930e1cf6d13b57fa9dffb
-
MD5
04bebb2a0359675ab322d52ddb2d3739
SHA198ec79d458fda635795be0adaa217063a5f9f95a
SHA256852d683cc10d83b0eb41c518d9a3471f76ad7359e7d3296ca88c7f83fddb1aae
SHA5129b8b5e70d1dfe674fa6e85c487fe7dbde367d7ffaa35602ae93b07407a5946fd150abb849cfef9e77c0e3723d0f1f353071ecb00b5a930e1cf6d13b57fa9dffb