Analysis
-
max time kernel
120s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:49
Static task
static1
Behavioral task
behavioral1
Sample
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe
Resource
win10v2004-en-20220113
General
-
Target
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe
-
Size
58KB
-
MD5
76daee38b9f61a5c8568ae15708fa721
-
SHA1
eba8d04bcde93059c1f4ef80ad0673f21cd7cd82
-
SHA256
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b
-
SHA512
c9f528e66f5f702b3e7b75abc605560ca07798ea9a531a4a0bd00ad4e6f9fae0f07455aa057022815f9f3a1a3a2eda9b3f6c1347b01a96868759b6a6cfeafda2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 840 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1260 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exepid process 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exedescription pid process Token: SeIncBasePriorityPrivilege 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.execmd.exedescription pid process target process PID 928 wrote to memory of 840 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe MediaCenter.exe PID 928 wrote to memory of 840 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe MediaCenter.exe PID 928 wrote to memory of 840 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe MediaCenter.exe PID 928 wrote to memory of 840 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe MediaCenter.exe PID 928 wrote to memory of 1260 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe cmd.exe PID 928 wrote to memory of 1260 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe cmd.exe PID 928 wrote to memory of 1260 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe cmd.exe PID 928 wrote to memory of 1260 928 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe cmd.exe PID 1260 wrote to memory of 2020 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 2020 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 2020 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 2020 1260 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe"C:\Users\Admin\AppData\Local\Temp\0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5dc9d64eed314add82fcc8f8c1947776
SHA1eed7c163db4195a9eda9158a230d845c02fef055
SHA256addf5a293e28f0634da376910b686d8ec72b4f8988dec1bb9d9cc8443bc0dc1a
SHA51258ababa0ad58b7bb6986a8aa528cc9d751e6d90c23e640f5f4e4b94983ac139e61035d5a7c152cff0618c5f09d1f71bf2be78d45b6c4f11bb21c47d84f136737
-
MD5
5dc9d64eed314add82fcc8f8c1947776
SHA1eed7c163db4195a9eda9158a230d845c02fef055
SHA256addf5a293e28f0634da376910b686d8ec72b4f8988dec1bb9d9cc8443bc0dc1a
SHA51258ababa0ad58b7bb6986a8aa528cc9d751e6d90c23e640f5f4e4b94983ac139e61035d5a7c152cff0618c5f09d1f71bf2be78d45b6c4f11bb21c47d84f136737
-
MD5
5dc9d64eed314add82fcc8f8c1947776
SHA1eed7c163db4195a9eda9158a230d845c02fef055
SHA256addf5a293e28f0634da376910b686d8ec72b4f8988dec1bb9d9cc8443bc0dc1a
SHA51258ababa0ad58b7bb6986a8aa528cc9d751e6d90c23e640f5f4e4b94983ac139e61035d5a7c152cff0618c5f09d1f71bf2be78d45b6c4f11bb21c47d84f136737