Analysis
-
max time kernel
120s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe
Resource
win10v2004-en-20220112
General
-
Target
0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe
-
Size
36KB
-
MD5
5c0f2c17731ef7e02ff7ecd5d17926c1
-
SHA1
be3063ed40cb53e2da2e6b6f990ed1bd7faa247a
-
SHA256
0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113
-
SHA512
7c751a5682c725009aa11a857770d4071eb5f78fcf38eabea8948838080e228129cd4b33fba4b7c1b80d12beec9fc1110143bba7414230be6103b31740c8b44f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1712 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 804 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exepid process 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exedescription pid process Token: SeIncBasePriorityPrivilege 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.execmd.exedescription pid process target process PID 948 wrote to memory of 1712 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe MediaCenter.exe PID 948 wrote to memory of 1712 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe MediaCenter.exe PID 948 wrote to memory of 1712 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe MediaCenter.exe PID 948 wrote to memory of 1712 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe MediaCenter.exe PID 948 wrote to memory of 804 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe cmd.exe PID 948 wrote to memory of 804 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe cmd.exe PID 948 wrote to memory of 804 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe cmd.exe PID 948 wrote to memory of 804 948 0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe cmd.exe PID 804 wrote to memory of 296 804 cmd.exe PING.EXE PID 804 wrote to memory of 296 804 cmd.exe PING.EXE PID 804 wrote to memory of 296 804 cmd.exe PING.EXE PID 804 wrote to memory of 296 804 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe"C:\Users\Admin\AppData\Local\Temp\0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d429badb789ae6331b9b550edfb0a65273bcae0c0f985fcdd2bf42bf4db3113.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7735d0ecc927f7c5b32ecd0e6a6c3d12
SHA18d4cc9439b45bc3d6411272eacf411c9bc7ed5f9
SHA25625730e32ecd1d742fa6e51516b95f33c3a8b9506513ecf5a7cbf3200a0eaf69a
SHA5123b470a0680c696d5212fde30a5b54ec2923ad0f16d841cda420294067617b0fec5532ce167919f4d89ae4da94a30c6714fb65d1546b62e10639e462a52711722
-
MD5
7735d0ecc927f7c5b32ecd0e6a6c3d12
SHA18d4cc9439b45bc3d6411272eacf411c9bc7ed5f9
SHA25625730e32ecd1d742fa6e51516b95f33c3a8b9506513ecf5a7cbf3200a0eaf69a
SHA5123b470a0680c696d5212fde30a5b54ec2923ad0f16d841cda420294067617b0fec5532ce167919f4d89ae4da94a30c6714fb65d1546b62e10639e462a52711722
-
MD5
7735d0ecc927f7c5b32ecd0e6a6c3d12
SHA18d4cc9439b45bc3d6411272eacf411c9bc7ed5f9
SHA25625730e32ecd1d742fa6e51516b95f33c3a8b9506513ecf5a7cbf3200a0eaf69a
SHA5123b470a0680c696d5212fde30a5b54ec2923ad0f16d841cda420294067617b0fec5532ce167919f4d89ae4da94a30c6714fb65d1546b62e10639e462a52711722