Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:34
Static task
static1
Behavioral task
behavioral1
Sample
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe
Resource
win10v2004-en-20220113
General
-
Target
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe
-
Size
58KB
-
MD5
1d0fb8311f5aee8128ee0061c026ffb5
-
SHA1
313d684ce23dc0b880bb7423e5e544676b180705
-
SHA256
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8
-
SHA512
0caa5662b7c25ee655e886d11cdab9eef364da644e20d8340010308a4a339a5ce82fdda8498b64fc33799eda868ce881b393a41e6d0d76c2e1663a273de56901
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1568 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1964 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exepid process 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exedescription pid process Token: SeIncBasePriorityPrivilege 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.execmd.exedescription pid process target process PID 1692 wrote to memory of 1568 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe MediaCenter.exe PID 1692 wrote to memory of 1964 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe cmd.exe PID 1692 wrote to memory of 1964 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe cmd.exe PID 1692 wrote to memory of 1964 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe cmd.exe PID 1692 wrote to memory of 1964 1692 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe cmd.exe PID 1964 wrote to memory of 1040 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1040 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1040 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1040 1964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe"C:\Users\Admin\AppData\Local\Temp\0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
57efabc782084f3bb973775056e3c431
SHA116a9b78fe3bb3b76951556cd0c8ab8d51d1d6435
SHA2562acf020fc5ac2b746bb59ceb1a174d9262f3a48dbd2d8aee7c44699d40e5c052
SHA5120a32b535d3b7bfe2d65dd597ac5a8074a937fd119349d763a1dca410841d195584a4b9e61431a66931846835f169cca8e3c2bc59b2675ca147c6d18940da951a
-
MD5
57efabc782084f3bb973775056e3c431
SHA116a9b78fe3bb3b76951556cd0c8ab8d51d1d6435
SHA2562acf020fc5ac2b746bb59ceb1a174d9262f3a48dbd2d8aee7c44699d40e5c052
SHA5120a32b535d3b7bfe2d65dd597ac5a8074a937fd119349d763a1dca410841d195584a4b9e61431a66931846835f169cca8e3c2bc59b2675ca147c6d18940da951a
-
MD5
57efabc782084f3bb973775056e3c431
SHA116a9b78fe3bb3b76951556cd0c8ab8d51d1d6435
SHA2562acf020fc5ac2b746bb59ceb1a174d9262f3a48dbd2d8aee7c44699d40e5c052
SHA5120a32b535d3b7bfe2d65dd597ac5a8074a937fd119349d763a1dca410841d195584a4b9e61431a66931846835f169cca8e3c2bc59b2675ca147c6d18940da951a