Analysis
-
max time kernel
126s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe
Resource
win10v2004-en-20220113
General
-
Target
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe
-
Size
58KB
-
MD5
55607a2c33c2d144d7b06827aafc7d2f
-
SHA1
3271b8eb7558c2b4423e18eaa81a89fa1066e924
-
SHA256
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0
-
SHA512
c51531d4ccca5e1fc95e00f05bceaabc7920949e02ae0a19b9bb6d964eb3594f85dd0fd9ea952cb6024b5fe9130744cb8b1b4e1147a2318d04df28cff06c5eb2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1944 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exepid process 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exedescription pid process Token: SeIncBasePriorityPrivilege 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.execmd.exedescription pid process target process PID 1276 wrote to memory of 1648 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe MediaCenter.exe PID 1276 wrote to memory of 1648 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe MediaCenter.exe PID 1276 wrote to memory of 1648 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe MediaCenter.exe PID 1276 wrote to memory of 1648 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe MediaCenter.exe PID 1276 wrote to memory of 1944 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe cmd.exe PID 1276 wrote to memory of 1944 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe cmd.exe PID 1276 wrote to memory of 1944 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe cmd.exe PID 1276 wrote to memory of 1944 1276 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe cmd.exe PID 1944 wrote to memory of 1716 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1716 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1716 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1716 1944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe"C:\Users\Admin\AppData\Local\Temp\0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
35be57da4380fe7b7173c8716e968147
SHA16e912dd4d0991688944186429a77871fd0ec8305
SHA256e3d57b0d160aa9ece6eb10e0d288792c8e07a45997abf32d149566dc6405caf8
SHA512b26106dc224b9033261f6b03d0c2d282c7cc89df62950ef0e19f5094245f44a83e0b6c651713d64d3b4c9db981983df9835196b23a80e2f93c692014b55adbd7
-
MD5
35be57da4380fe7b7173c8716e968147
SHA16e912dd4d0991688944186429a77871fd0ec8305
SHA256e3d57b0d160aa9ece6eb10e0d288792c8e07a45997abf32d149566dc6405caf8
SHA512b26106dc224b9033261f6b03d0c2d282c7cc89df62950ef0e19f5094245f44a83e0b6c651713d64d3b4c9db981983df9835196b23a80e2f93c692014b55adbd7
-
MD5
35be57da4380fe7b7173c8716e968147
SHA16e912dd4d0991688944186429a77871fd0ec8305
SHA256e3d57b0d160aa9ece6eb10e0d288792c8e07a45997abf32d149566dc6405caf8
SHA512b26106dc224b9033261f6b03d0c2d282c7cc89df62950ef0e19f5094245f44a83e0b6c651713d64d3b4c9db981983df9835196b23a80e2f93c692014b55adbd7