Analysis
-
max time kernel
155s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:37
Static task
static1
Behavioral task
behavioral1
Sample
0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe
Resource
win10v2004-en-20220113
General
-
Target
0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe
-
Size
60KB
-
MD5
40184919d66f200ee106e75f4f5039ba
-
SHA1
93e01429a7f34962d150d276f9445622fd8878a0
-
SHA256
0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af
-
SHA512
f64f29498390dcf24b57c07b7b1f31cebed22c3cafa069cb19df943c3463a0fbb39c6a213ef2e6f28c456108898485ce37c0b1e4d7d81cf57ce3419dbed47816
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exepid process 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.execmd.exedescription pid process target process PID 1588 wrote to memory of 1720 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe MediaCenter.exe PID 1588 wrote to memory of 432 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe cmd.exe PID 1588 wrote to memory of 432 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe cmd.exe PID 1588 wrote to memory of 432 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe cmd.exe PID 1588 wrote to memory of 432 1588 0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe cmd.exe PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe"C:\Users\Admin\AppData\Local\Temp\0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d194c8a8ebdd7f0e73abc64efd654e92231b569df66ac7b07935b66b36461af.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
85b2c3cb31ac756a41b88f414140c027
SHA1750d04e1f1e1fa844ae1bac353fdac72bccca0e4
SHA256001650768129603ca9a8f1f131385d20514fce80dd50ff6e154938f116e4e249
SHA5124e4524b1356d1d9b6517a409c1d624bf5b2f6f7ffb7b68442ca71ce64acb5c1426d117d1711fd90d58eac1a25d22ca513d16a34ade72ff79592f37185e70d359
-
MD5
85b2c3cb31ac756a41b88f414140c027
SHA1750d04e1f1e1fa844ae1bac353fdac72bccca0e4
SHA256001650768129603ca9a8f1f131385d20514fce80dd50ff6e154938f116e4e249
SHA5124e4524b1356d1d9b6517a409c1d624bf5b2f6f7ffb7b68442ca71ce64acb5c1426d117d1711fd90d58eac1a25d22ca513d16a34ade72ff79592f37185e70d359
-
MD5
85b2c3cb31ac756a41b88f414140c027
SHA1750d04e1f1e1fa844ae1bac353fdac72bccca0e4
SHA256001650768129603ca9a8f1f131385d20514fce80dd50ff6e154938f116e4e249
SHA5124e4524b1356d1d9b6517a409c1d624bf5b2f6f7ffb7b68442ca71ce64acb5c1426d117d1711fd90d58eac1a25d22ca513d16a34ade72ff79592f37185e70d359