Analysis
-
max time kernel
128s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:47
Static task
static1
Behavioral task
behavioral1
Sample
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe
Resource
win10v2004-en-20220113
General
-
Target
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe
-
Size
60KB
-
MD5
cc9e4097f1ae44d9319d975ae6f14781
-
SHA1
100ee70c558afa90f8dd4e4b05d76d12fcfad6e8
-
SHA256
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b
-
SHA512
55dd1ef0477b440583ff9bb0fcdcff9573fb446c948dbd4d05be6eb6eb4c74b4c4707e8fbcf04f077bc8ac927de901b85e88fdd62465f4fee4ba98a0ec47b77d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exepid process 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exedescription pid process Token: SeIncBasePriorityPrivilege 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.execmd.exedescription pid process target process PID 1752 wrote to memory of 1520 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe MediaCenter.exe PID 1752 wrote to memory of 1520 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe MediaCenter.exe PID 1752 wrote to memory of 1520 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe MediaCenter.exe PID 1752 wrote to memory of 1520 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe MediaCenter.exe PID 1752 wrote to memory of 428 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe cmd.exe PID 1752 wrote to memory of 428 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe cmd.exe PID 1752 wrote to memory of 428 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe cmd.exe PID 1752 wrote to memory of 428 1752 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe cmd.exe PID 428 wrote to memory of 1660 428 cmd.exe PING.EXE PID 428 wrote to memory of 1660 428 cmd.exe PING.EXE PID 428 wrote to memory of 1660 428 cmd.exe PING.EXE PID 428 wrote to memory of 1660 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe"C:\Users\Admin\AppData\Local\Temp\0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9242bca1286f64b73d1c3e4920598298
SHA137119d75bfc7f3c184c48fdb5aab0c03e523fd68
SHA256d448a3668a20dd0d040f8aa994f669671d86096f023cc57f6fdeb56cda8b68a5
SHA512ec7c19333023a43171fb8a60f64b16b89cff18dbdd0414e53e08e3109c388e52b0a17ac510d54263c1e859bb64a8a3a9d95787226ceb13bbdd7617774092b2b5
-
MD5
9242bca1286f64b73d1c3e4920598298
SHA137119d75bfc7f3c184c48fdb5aab0c03e523fd68
SHA256d448a3668a20dd0d040f8aa994f669671d86096f023cc57f6fdeb56cda8b68a5
SHA512ec7c19333023a43171fb8a60f64b16b89cff18dbdd0414e53e08e3109c388e52b0a17ac510d54263c1e859bb64a8a3a9d95787226ceb13bbdd7617774092b2b5
-
MD5
9242bca1286f64b73d1c3e4920598298
SHA137119d75bfc7f3c184c48fdb5aab0c03e523fd68
SHA256d448a3668a20dd0d040f8aa994f669671d86096f023cc57f6fdeb56cda8b68a5
SHA512ec7c19333023a43171fb8a60f64b16b89cff18dbdd0414e53e08e3109c388e52b0a17ac510d54263c1e859bb64a8a3a9d95787226ceb13bbdd7617774092b2b5