Analysis
-
max time kernel
154s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe
Resource
win10v2004-en-20220113
General
-
Target
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe
-
Size
35KB
-
MD5
6571881681e7ca8291d59ae745652504
-
SHA1
958346867837795166224f21003cbc1a95656665
-
SHA256
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5
-
SHA512
8409d1377ad584ef1b6db215228d3f9a27b280911c5cb5ef0a792789d71b3c5a5a7db9c2b7e3cf1299b0169ab2b41f947fc10375b7e59b0686a188be7aaa7d03
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 740 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 360 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exepid process 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exedescription pid process Token: SeIncBasePriorityPrivilege 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.execmd.exedescription pid process target process PID 1320 wrote to memory of 740 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe MediaCenter.exe PID 1320 wrote to memory of 740 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe MediaCenter.exe PID 1320 wrote to memory of 740 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe MediaCenter.exe PID 1320 wrote to memory of 740 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe MediaCenter.exe PID 1320 wrote to memory of 360 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe cmd.exe PID 1320 wrote to memory of 360 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe cmd.exe PID 1320 wrote to memory of 360 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe cmd.exe PID 1320 wrote to memory of 360 1320 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe cmd.exe PID 360 wrote to memory of 2032 360 cmd.exe PING.EXE PID 360 wrote to memory of 2032 360 cmd.exe PING.EXE PID 360 wrote to memory of 2032 360 cmd.exe PING.EXE PID 360 wrote to memory of 2032 360 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe"C:\Users\Admin\AppData\Local\Temp\0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
87d3a881e4b6eaaada6d5ea61792cf0a
SHA1e731ab0443dcef1930b789520285c63873575755
SHA256660889bc4754b6f2b1a3d44aab0912dffe1f31abff3778239b3174c6a1099ecd
SHA512fb7397de3ed0a5f76e1ee792b5a577a327e113141ba34669a2d6e8ac9eb566398a1b222475bf2e5b4fde713e7304faebc795af932ddac551ee42a08b5dea32c4
-
MD5
87d3a881e4b6eaaada6d5ea61792cf0a
SHA1e731ab0443dcef1930b789520285c63873575755
SHA256660889bc4754b6f2b1a3d44aab0912dffe1f31abff3778239b3174c6a1099ecd
SHA512fb7397de3ed0a5f76e1ee792b5a577a327e113141ba34669a2d6e8ac9eb566398a1b222475bf2e5b4fde713e7304faebc795af932ddac551ee42a08b5dea32c4
-
MD5
87d3a881e4b6eaaada6d5ea61792cf0a
SHA1e731ab0443dcef1930b789520285c63873575755
SHA256660889bc4754b6f2b1a3d44aab0912dffe1f31abff3778239b3174c6a1099ecd
SHA512fb7397de3ed0a5f76e1ee792b5a577a327e113141ba34669a2d6e8ac9eb566398a1b222475bf2e5b4fde713e7304faebc795af932ddac551ee42a08b5dea32c4