Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:40
Static task
static1
Behavioral task
behavioral1
Sample
0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe
Resource
win10v2004-en-20220113
General
-
Target
0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe
-
Size
58KB
-
MD5
eef5bb836cd9e6a4060e5be16c8837f4
-
SHA1
46532ed7f28e3ded0e13d926fe9db7343f648439
-
SHA256
0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff
-
SHA512
87119ebc0911d4bb17fcf4d58eb903913c91b533d1b6633db12fdc527744ba56e1064094b693ebf630ad35f9b268ac9021203cacffbb3c0471e85b588c98e78b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1192 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exepid process 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exedescription pid process Token: SeIncBasePriorityPrivilege 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.execmd.exedescription pid process target process PID 1912 wrote to memory of 320 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe MediaCenter.exe PID 1912 wrote to memory of 320 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe MediaCenter.exe PID 1912 wrote to memory of 320 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe MediaCenter.exe PID 1912 wrote to memory of 320 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe MediaCenter.exe PID 1912 wrote to memory of 1192 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe cmd.exe PID 1912 wrote to memory of 1192 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe cmd.exe PID 1912 wrote to memory of 1192 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe cmd.exe PID 1912 wrote to memory of 1192 1912 0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe cmd.exe PID 1192 wrote to memory of 1824 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 1824 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 1824 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 1824 1192 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe"C:\Users\Admin\AppData\Local\Temp\0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ced72529e8860ffc80f9ffa2e3dcff5f9f2d614b5080aa0409f9832cd420cff.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
010836d3fd3613e45f5e4f6b8a1c1ac7
SHA11f0d4dfd45781e5af34d4c6227bff3c08bd79436
SHA2568ea0f00abb466b66d25885bc76f651604848adc0b9423c34e15b7dc0f9a777df
SHA5128f19eeac71da806dc938ea8d1453ec1e365f42314f6d901bad570d23da1b7231bfd279987bb54c6e11f1d6414912bbfc87992c4856189d40e27189c39b317c71
-
MD5
010836d3fd3613e45f5e4f6b8a1c1ac7
SHA11f0d4dfd45781e5af34d4c6227bff3c08bd79436
SHA2568ea0f00abb466b66d25885bc76f651604848adc0b9423c34e15b7dc0f9a777df
SHA5128f19eeac71da806dc938ea8d1453ec1e365f42314f6d901bad570d23da1b7231bfd279987bb54c6e11f1d6414912bbfc87992c4856189d40e27189c39b317c71
-
MD5
010836d3fd3613e45f5e4f6b8a1c1ac7
SHA11f0d4dfd45781e5af34d4c6227bff3c08bd79436
SHA2568ea0f00abb466b66d25885bc76f651604848adc0b9423c34e15b7dc0f9a777df
SHA5128f19eeac71da806dc938ea8d1453ec1e365f42314f6d901bad570d23da1b7231bfd279987bb54c6e11f1d6414912bbfc87992c4856189d40e27189c39b317c71