Analysis
-
max time kernel
130s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:54
Static task
static1
Behavioral task
behavioral1
Sample
0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe
Resource
win10v2004-en-20220112
General
-
Target
0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe
-
Size
35KB
-
MD5
046e35c3ab83dc6f68792ff9cde33c4d
-
SHA1
314bdaac9f3707c38d8bb63811804b899a7d5df9
-
SHA256
0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241
-
SHA512
03c60f346b7cc6e721378e866a53120a067097509768eb46221493fe5026bc894f3ec1d194e95baea873110e7e939fdcea58ad82af56047e35b3355c149f704f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 956 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1456 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exepid process 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exedescription pid process Token: SeIncBasePriorityPrivilege 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.execmd.exedescription pid process target process PID 780 wrote to memory of 956 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe MediaCenter.exe PID 780 wrote to memory of 956 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe MediaCenter.exe PID 780 wrote to memory of 956 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe MediaCenter.exe PID 780 wrote to memory of 956 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe MediaCenter.exe PID 780 wrote to memory of 1456 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe cmd.exe PID 780 wrote to memory of 1456 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe cmd.exe PID 780 wrote to memory of 1456 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe cmd.exe PID 780 wrote to memory of 1456 780 0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe cmd.exe PID 1456 wrote to memory of 1496 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1496 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1496 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1496 1456 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe"C:\Users\Admin\AppData\Local\Temp\0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c574dfe04e98c429e1780572a7d8aa33a06b0517144ca7c02f9d81e3ff50241.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7e3e96accfd182e18183c6a09a52daba
SHA153cabfc2616c7cf3a5cb583977188ad2a4a657f9
SHA25667dea3acff41e34d2dbd4f21cc6c47d54d515ef21551b0fc13d2c70aebe1fca8
SHA5129ad2bbbeafd2309bdcbf678d73f62bced1cdf116556d2bee72ba9b1225b5bbc2533f318e4e40743964fdf1cce3ed3af9b0888de782a7ff4ce65de2d67f636cea
-
MD5
7e3e96accfd182e18183c6a09a52daba
SHA153cabfc2616c7cf3a5cb583977188ad2a4a657f9
SHA25667dea3acff41e34d2dbd4f21cc6c47d54d515ef21551b0fc13d2c70aebe1fca8
SHA5129ad2bbbeafd2309bdcbf678d73f62bced1cdf116556d2bee72ba9b1225b5bbc2533f318e4e40743964fdf1cce3ed3af9b0888de782a7ff4ce65de2d67f636cea
-
MD5
7e3e96accfd182e18183c6a09a52daba
SHA153cabfc2616c7cf3a5cb583977188ad2a4a657f9
SHA25667dea3acff41e34d2dbd4f21cc6c47d54d515ef21551b0fc13d2c70aebe1fca8
SHA5129ad2bbbeafd2309bdcbf678d73f62bced1cdf116556d2bee72ba9b1225b5bbc2533f318e4e40743964fdf1cce3ed3af9b0888de782a7ff4ce65de2d67f636cea