Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe
Resource
win10v2004-en-20220113
General
-
Target
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe
-
Size
35KB
-
MD5
328460113e0191847980c8aaf058df67
-
SHA1
33f24c491a523e18d3fb28848b0483e4b19cc17a
-
SHA256
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98
-
SHA512
311680b9fbb2712db0b405253912af9bb431b4eab927aa2bcedfe8098f054a1c2164c1a29463778ee108ea200c4a9f257bbf0833dfe90fe840e49d8a85a72303
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1680 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exepid process 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exedescription pid process Token: SeIncBasePriorityPrivilege 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.execmd.exedescription pid process target process PID 1540 wrote to memory of 1680 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe MediaCenter.exe PID 1540 wrote to memory of 1680 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe MediaCenter.exe PID 1540 wrote to memory of 1680 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe MediaCenter.exe PID 1540 wrote to memory of 1680 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe MediaCenter.exe PID 1540 wrote to memory of 396 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe cmd.exe PID 1540 wrote to memory of 396 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe cmd.exe PID 1540 wrote to memory of 396 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe cmd.exe PID 1540 wrote to memory of 396 1540 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe cmd.exe PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe"C:\Users\Admin\AppData\Local\Temp\0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4ded20891646496227fca99caffb9f1b
SHA168a8c5f4c1c597d58a161078fc88fe71eb26fa1d
SHA25630cc2f00c997d7f8fbb4b736594eabe7f26a698fd046e80f1c36e41378b9ff66
SHA512a4cd542a1fbaf97fe9ed9a0b477a28801e9a84bcf3b2bf3905f7efce6dd1b17850029450d552e100cf3701f9bcd497d6c063d84596597e48d8420243c14c14c8
-
MD5
4ded20891646496227fca99caffb9f1b
SHA168a8c5f4c1c597d58a161078fc88fe71eb26fa1d
SHA25630cc2f00c997d7f8fbb4b736594eabe7f26a698fd046e80f1c36e41378b9ff66
SHA512a4cd542a1fbaf97fe9ed9a0b477a28801e9a84bcf3b2bf3905f7efce6dd1b17850029450d552e100cf3701f9bcd497d6c063d84596597e48d8420243c14c14c8
-
MD5
4ded20891646496227fca99caffb9f1b
SHA168a8c5f4c1c597d58a161078fc88fe71eb26fa1d
SHA25630cc2f00c997d7f8fbb4b736594eabe7f26a698fd046e80f1c36e41378b9ff66
SHA512a4cd542a1fbaf97fe9ed9a0b477a28801e9a84bcf3b2bf3905f7efce6dd1b17850029450d552e100cf3701f9bcd497d6c063d84596597e48d8420243c14c14c8