Analysis
-
max time kernel
142s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:50
Static task
static1
Behavioral task
behavioral1
Sample
0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe
Resource
win10v2004-en-20220112
General
-
Target
0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe
-
Size
35KB
-
MD5
242d41f061f7161c885532c0489c2d7d
-
SHA1
0a94fadd39078986e8aa9ee2ebf336d519cb03d6
-
SHA256
0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4
-
SHA512
2fd1c17c4efdb4ec4f2c7fb916f5766199e2465f1c3c9cc80ae6d06cc0512ce471c1705aaab2e8befe150b96e32d19d0189afea7ca84667dd4c05991017dcf13
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exepid process 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.execmd.exedescription pid process target process PID 1624 wrote to memory of 1548 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe MediaCenter.exe PID 1624 wrote to memory of 820 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe cmd.exe PID 1624 wrote to memory of 820 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe cmd.exe PID 1624 wrote to memory of 820 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe cmd.exe PID 1624 wrote to memory of 820 1624 0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe cmd.exe PID 820 wrote to memory of 1764 820 cmd.exe PING.EXE PID 820 wrote to memory of 1764 820 cmd.exe PING.EXE PID 820 wrote to memory of 1764 820 cmd.exe PING.EXE PID 820 wrote to memory of 1764 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe"C:\Users\Admin\AppData\Local\Temp\0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c8b0b4968eb71ef1bee82a8bac62e7640331f5f1d3204bf05ce87ac621bc8a4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
363bcf2ccb3433eeb4ac3b6f4fbfb6d6
SHA13ccf8c83c94c22b061b8f06e850285ae1c89c18f
SHA256af4da0f839251c9961f6680ceae76410b828e10d6520a43bc5102bc859ff6dba
SHA5127b90c9974a7cf8fc92c8ce1186bbd918289a3e17be97eb78251a5312aa10ba7553dbe767cf5cb95b5bf8536ae83884ae96fbd9d25ff0b4d333d4734d1fe9b011
-
MD5
363bcf2ccb3433eeb4ac3b6f4fbfb6d6
SHA13ccf8c83c94c22b061b8f06e850285ae1c89c18f
SHA256af4da0f839251c9961f6680ceae76410b828e10d6520a43bc5102bc859ff6dba
SHA5127b90c9974a7cf8fc92c8ce1186bbd918289a3e17be97eb78251a5312aa10ba7553dbe767cf5cb95b5bf8536ae83884ae96fbd9d25ff0b4d333d4734d1fe9b011
-
MD5
363bcf2ccb3433eeb4ac3b6f4fbfb6d6
SHA13ccf8c83c94c22b061b8f06e850285ae1c89c18f
SHA256af4da0f839251c9961f6680ceae76410b828e10d6520a43bc5102bc859ff6dba
SHA5127b90c9974a7cf8fc92c8ce1186bbd918289a3e17be97eb78251a5312aa10ba7553dbe767cf5cb95b5bf8536ae83884ae96fbd9d25ff0b4d333d4734d1fe9b011