Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe
Resource
win10v2004-en-20220112
General
-
Target
0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe
-
Size
36KB
-
MD5
3d521f19c8f6cf28fd75a1735dca77e4
-
SHA1
704dd377cce1b11dbdb6372164fce3650d37aba0
-
SHA256
0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a
-
SHA512
e4b8287573ef6d7259b1bc38bc258a5adc8b74052791c062ccd875c40dbeea72179736b315eb735c09b05bf3555487a61f6cc92cd3835c76f0264ba7da300b95
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exepid process 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exedescription pid process Token: SeIncBasePriorityPrivilege 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.execmd.exedescription pid process target process PID 848 wrote to memory of 592 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe MediaCenter.exe PID 848 wrote to memory of 592 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe MediaCenter.exe PID 848 wrote to memory of 592 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe MediaCenter.exe PID 848 wrote to memory of 592 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe MediaCenter.exe PID 848 wrote to memory of 1100 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe cmd.exe PID 848 wrote to memory of 1100 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe cmd.exe PID 848 wrote to memory of 1100 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe cmd.exe PID 848 wrote to memory of 1100 848 0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe cmd.exe PID 1100 wrote to memory of 1060 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1060 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1060 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1060 1100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe"C:\Users\Admin\AppData\Local\Temp\0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cd88cefe6792d64ea77b501e3d5e164404475763ab3704cc37758ee9c141b3a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6f392ab7632c58e773ab85260d64407a
SHA119c6c6763d99ba1ea1ae5e973561f0c230e988e7
SHA256246fe3b22365caade4f44194e827e44875c5c8bbd5435dd5fff86ba0d944edd3
SHA512ded0f051c4d873d9f0977fe569d35b9362acba7e1d3a48b5e52f5c8df1443f71334b24e60767a03c2d6db585feb63794ba2e0c531cfdb9db655f0b3dadf4b27c
-
MD5
6f392ab7632c58e773ab85260d64407a
SHA119c6c6763d99ba1ea1ae5e973561f0c230e988e7
SHA256246fe3b22365caade4f44194e827e44875c5c8bbd5435dd5fff86ba0d944edd3
SHA512ded0f051c4d873d9f0977fe569d35b9362acba7e1d3a48b5e52f5c8df1443f71334b24e60767a03c2d6db585feb63794ba2e0c531cfdb9db655f0b3dadf4b27c
-
MD5
6f392ab7632c58e773ab85260d64407a
SHA119c6c6763d99ba1ea1ae5e973561f0c230e988e7
SHA256246fe3b22365caade4f44194e827e44875c5c8bbd5435dd5fff86ba0d944edd3
SHA512ded0f051c4d873d9f0977fe569d35b9362acba7e1d3a48b5e52f5c8df1443f71334b24e60767a03c2d6db585feb63794ba2e0c531cfdb9db655f0b3dadf4b27c