Analysis
-
max time kernel
124s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:45
Static task
static1
Behavioral task
behavioral1
Sample
0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe
Resource
win10v2004-en-20220113
General
-
Target
0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe
-
Size
36KB
-
MD5
aaa3cceb6457b2b7af9c48da2d0bc483
-
SHA1
82c63d6dbfaddd5204986332596b8bddb6e1b4d3
-
SHA256
0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b
-
SHA512
7204ff0ac46f7a3befde23dc3d36af28bbcd3d01f5efb7a3fdbf9f828a74693af2f00fee40b2070e6222188c311d5c60859b057b622823d95afe5b71c4432b15
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1312 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 944 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exepid process 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.execmd.exedescription pid process target process PID 1632 wrote to memory of 1312 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe MediaCenter.exe PID 1632 wrote to memory of 1312 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe MediaCenter.exe PID 1632 wrote to memory of 1312 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe MediaCenter.exe PID 1632 wrote to memory of 1312 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe MediaCenter.exe PID 1632 wrote to memory of 944 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe cmd.exe PID 1632 wrote to memory of 944 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe cmd.exe PID 1632 wrote to memory of 944 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe cmd.exe PID 1632 wrote to memory of 944 1632 0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe cmd.exe PID 944 wrote to memory of 948 944 cmd.exe PING.EXE PID 944 wrote to memory of 948 944 cmd.exe PING.EXE PID 944 wrote to memory of 948 944 cmd.exe PING.EXE PID 944 wrote to memory of 948 944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe"C:\Users\Admin\AppData\Local\Temp\0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cadbafc6cc230fda5f01613f9c8202a7fcef6b169e35a910831e1adf23b0e2b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c9aa405032317c7646517c13deb04520
SHA16ac17881bd25b617b4572f876ffe7e06f819c15a
SHA256230b66a246b8e1c759234167ce4ae8b2c1cd140bd79c1595a937749b7f524dd9
SHA512fe1d57c7c02bb488a9b92aeab424e30abb43bab7118fa43695e56bd7ae3bf8d4de864ca92ae308f936cdf79b4c135cf61f8f41aff2f266f58f4f690a9bc03dad
-
MD5
c9aa405032317c7646517c13deb04520
SHA16ac17881bd25b617b4572f876ffe7e06f819c15a
SHA256230b66a246b8e1c759234167ce4ae8b2c1cd140bd79c1595a937749b7f524dd9
SHA512fe1d57c7c02bb488a9b92aeab424e30abb43bab7118fa43695e56bd7ae3bf8d4de864ca92ae308f936cdf79b4c135cf61f8f41aff2f266f58f4f690a9bc03dad
-
MD5
c9aa405032317c7646517c13deb04520
SHA16ac17881bd25b617b4572f876ffe7e06f819c15a
SHA256230b66a246b8e1c759234167ce4ae8b2c1cd140bd79c1595a937749b7f524dd9
SHA512fe1d57c7c02bb488a9b92aeab424e30abb43bab7118fa43695e56bd7ae3bf8d4de864ca92ae308f936cdf79b4c135cf61f8f41aff2f266f58f4f690a9bc03dad