Analysis
-
max time kernel
125s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:31
Static task
static1
Behavioral task
behavioral1
Sample
0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe
Resource
win10v2004-en-20220113
General
-
Target
0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe
-
Size
60KB
-
MD5
722ebcbbdf3a08e7a4d6866b0334e3e1
-
SHA1
e7ec514dd050674eafc94de32f89a2c099acaa8d
-
SHA256
0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2
-
SHA512
135724d305aa020a86c11a8c046dfddc553377f67ffc5e4028f35a350dec869672a7e11ba29f4625f25974b2ac22dd156169dc76210922d865d33422e92800db
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 600 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exepid process 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exedescription pid process Token: SeIncBasePriorityPrivilege 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.execmd.exedescription pid process target process PID 976 wrote to memory of 320 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe MediaCenter.exe PID 976 wrote to memory of 320 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe MediaCenter.exe PID 976 wrote to memory of 320 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe MediaCenter.exe PID 976 wrote to memory of 320 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe MediaCenter.exe PID 976 wrote to memory of 600 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe cmd.exe PID 976 wrote to memory of 600 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe cmd.exe PID 976 wrote to memory of 600 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe cmd.exe PID 976 wrote to memory of 600 976 0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe cmd.exe PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe"C:\Users\Admin\AppData\Local\Temp\0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d59c5ba879ab22421c28ff70194a9a7cff1152df2c08581f1469062b0acd2a2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
74a476bf0795b79938f67780b153400e
SHA17481c5edc22c7e7b4df01490997a4b9cb12079b1
SHA2560b1106c298059d4f9129298283524fb58ef3ad8f56f58e1c979cc5c191543eda
SHA512244fc0060f71c0aca7354754bba26d45178737241acb0e71819f1c7327087bb8ea5120bb12d37e53e981779bddedf8cd0acca457f0e8a0305e8b4a4668dde579
-
MD5
74a476bf0795b79938f67780b153400e
SHA17481c5edc22c7e7b4df01490997a4b9cb12079b1
SHA2560b1106c298059d4f9129298283524fb58ef3ad8f56f58e1c979cc5c191543eda
SHA512244fc0060f71c0aca7354754bba26d45178737241acb0e71819f1c7327087bb8ea5120bb12d37e53e981779bddedf8cd0acca457f0e8a0305e8b4a4668dde579
-
MD5
74a476bf0795b79938f67780b153400e
SHA17481c5edc22c7e7b4df01490997a4b9cb12079b1
SHA2560b1106c298059d4f9129298283524fb58ef3ad8f56f58e1c979cc5c191543eda
SHA512244fc0060f71c0aca7354754bba26d45178737241acb0e71819f1c7327087bb8ea5120bb12d37e53e981779bddedf8cd0acca457f0e8a0305e8b4a4668dde579