Analysis
-
max time kernel
119s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:41
Static task
static1
Behavioral task
behavioral1
Sample
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe
Resource
win10v2004-en-20220113
General
-
Target
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe
-
Size
58KB
-
MD5
2d0059e0cf443df5cdb17eefe8444032
-
SHA1
635a698e5792064fcf245fa0bdc0a1e9c87684cc
-
SHA256
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc
-
SHA512
0272c3aa7b6122c54ff66c352daf794188a0fecd1c677060792681a48f86fe8d15c6ff24d7f5f0e89042817e639154daebee5eb457a5f59deb8b1627bc1c6065
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1908 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exepid process 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exedescription pid process Token: SeIncBasePriorityPrivilege 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.execmd.exedescription pid process target process PID 972 wrote to memory of 528 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe MediaCenter.exe PID 972 wrote to memory of 528 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe MediaCenter.exe PID 972 wrote to memory of 528 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe MediaCenter.exe PID 972 wrote to memory of 528 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe MediaCenter.exe PID 972 wrote to memory of 1908 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe cmd.exe PID 972 wrote to memory of 1908 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe cmd.exe PID 972 wrote to memory of 1908 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe cmd.exe PID 972 wrote to memory of 1908 972 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe cmd.exe PID 1908 wrote to memory of 1584 1908 cmd.exe PING.EXE PID 1908 wrote to memory of 1584 1908 cmd.exe PING.EXE PID 1908 wrote to memory of 1584 1908 cmd.exe PING.EXE PID 1908 wrote to memory of 1584 1908 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe"C:\Users\Admin\AppData\Local\Temp\0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e4a5e3e2202cd835b0ea0108b2a89ff6
SHA197af6077d9b6a45d2bfd67e635fd50786cc1c7ee
SHA256132158255ec876d8ee777bb31e6a7a2fde01f43c1907a336f64c2a5ff8ef7c01
SHA512da607bda6be700da673bdb4b5826777e4fc1b7ea9612079231d8812f671f029e8be7dc5fc70656375e1c3d7b497194764e32cd4e0bff6842734b1c9ca77cf554
-
MD5
e4a5e3e2202cd835b0ea0108b2a89ff6
SHA197af6077d9b6a45d2bfd67e635fd50786cc1c7ee
SHA256132158255ec876d8ee777bb31e6a7a2fde01f43c1907a336f64c2a5ff8ef7c01
SHA512da607bda6be700da673bdb4b5826777e4fc1b7ea9612079231d8812f671f029e8be7dc5fc70656375e1c3d7b497194764e32cd4e0bff6842734b1c9ca77cf554
-
MD5
e4a5e3e2202cd835b0ea0108b2a89ff6
SHA197af6077d9b6a45d2bfd67e635fd50786cc1c7ee
SHA256132158255ec876d8ee777bb31e6a7a2fde01f43c1907a336f64c2a5ff8ef7c01
SHA512da607bda6be700da673bdb4b5826777e4fc1b7ea9612079231d8812f671f029e8be7dc5fc70656375e1c3d7b497194764e32cd4e0bff6842734b1c9ca77cf554