Analysis
-
max time kernel
138s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:51
Static task
static1
Behavioral task
behavioral1
Sample
0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe
Resource
win10v2004-en-20220112
General
-
Target
0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe
-
Size
60KB
-
MD5
75dfca14f72d431f6bd4faf37c049737
-
SHA1
3ba0d8e99d2a2d1496672b2d3c633fedad00d372
-
SHA256
0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223
-
SHA512
ca6baf655bbeee764a0da00fdb8cd3523425560d5acddaacaacddc9e7726414d1e862f326dc2885fcc80c306e6fb9d12f081cae6ffe7ea68f9306bc4413639e1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 968 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exepid process 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exedescription pid process Token: SeIncBasePriorityPrivilege 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.execmd.exedescription pid process target process PID 964 wrote to memory of 1620 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe MediaCenter.exe PID 964 wrote to memory of 1620 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe MediaCenter.exe PID 964 wrote to memory of 1620 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe MediaCenter.exe PID 964 wrote to memory of 1620 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe MediaCenter.exe PID 964 wrote to memory of 968 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe cmd.exe PID 964 wrote to memory of 968 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe cmd.exe PID 964 wrote to memory of 968 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe cmd.exe PID 964 wrote to memory of 968 964 0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe cmd.exe PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe"C:\Users\Admin\AppData\Local\Temp\0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c82e6dce43b2b1b938c1ea9e6c8a033a19112f89d4e9ddf47c6240036938223.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
36e2aa5061b2db72ea45a7d3021e9332
SHA15756c48fc935ee3ae1da89fb1cb812c99007b7dd
SHA2568f0e1430910796dfd02c30425fbf98da44ac7e71526d6ab7a65873be311f8b34
SHA512efb1c3bc7bf45d368121cfd7386e6aa28667e6f8e255e81bda2043648322a189eed5b3f8df27c5234109360556e2bd2d09a8ed4282ef459f267f849a87af590e
-
MD5
36e2aa5061b2db72ea45a7d3021e9332
SHA15756c48fc935ee3ae1da89fb1cb812c99007b7dd
SHA2568f0e1430910796dfd02c30425fbf98da44ac7e71526d6ab7a65873be311f8b34
SHA512efb1c3bc7bf45d368121cfd7386e6aa28667e6f8e255e81bda2043648322a189eed5b3f8df27c5234109360556e2bd2d09a8ed4282ef459f267f849a87af590e
-
MD5
36e2aa5061b2db72ea45a7d3021e9332
SHA15756c48fc935ee3ae1da89fb1cb812c99007b7dd
SHA2568f0e1430910796dfd02c30425fbf98da44ac7e71526d6ab7a65873be311f8b34
SHA512efb1c3bc7bf45d368121cfd7386e6aa28667e6f8e255e81bda2043648322a189eed5b3f8df27c5234109360556e2bd2d09a8ed4282ef459f267f849a87af590e