Analysis
-
max time kernel
134s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:54
Static task
static1
Behavioral task
behavioral1
Sample
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe
Resource
win10v2004-en-20220113
General
-
Target
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe
-
Size
36KB
-
MD5
3248826e8a19b42a30b97ddcdc2e6d7e
-
SHA1
a90c2c55fa49d8ba2cf613f1886a08983335a3b4
-
SHA256
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5
-
SHA512
132fb2f1b3705e8c546d1975a5145370cf1082d4cd0f5ad7735719b087514ecd0ddc05e03a12dcf811bf8e566a0fee819cfa2dd423753395ff621157916ab311
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1632 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1780 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exepid process 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exedescription pid process Token: SeIncBasePriorityPrivilege 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.execmd.exedescription pid process target process PID 1556 wrote to memory of 1632 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe MediaCenter.exe PID 1556 wrote to memory of 1780 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe cmd.exe PID 1556 wrote to memory of 1780 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe cmd.exe PID 1556 wrote to memory of 1780 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe cmd.exe PID 1556 wrote to memory of 1780 1556 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe cmd.exe PID 1780 wrote to memory of 828 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 828 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 828 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 828 1780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe"C:\Users\Admin\AppData\Local\Temp\0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d1d8884a112c68d6ca668b4031a97ef8
SHA1f61311f4a42cdb0b79c7ca0aae92245a2af294bb
SHA2568ad96b288d6d2e0b205f2f7f04f97642dc543af295430af541af667fe84633d3
SHA512f3c822e44873df864c60a517a06ea02541bd1de5d1a49232cc3ffbfb91acd46c8eb812bd0b1cbd2aa29aaa39014394956926db89bb558a707744c13f815bd072
-
MD5
d1d8884a112c68d6ca668b4031a97ef8
SHA1f61311f4a42cdb0b79c7ca0aae92245a2af294bb
SHA2568ad96b288d6d2e0b205f2f7f04f97642dc543af295430af541af667fe84633d3
SHA512f3c822e44873df864c60a517a06ea02541bd1de5d1a49232cc3ffbfb91acd46c8eb812bd0b1cbd2aa29aaa39014394956926db89bb558a707744c13f815bd072
-
MD5
d1d8884a112c68d6ca668b4031a97ef8
SHA1f61311f4a42cdb0b79c7ca0aae92245a2af294bb
SHA2568ad96b288d6d2e0b205f2f7f04f97642dc543af295430af541af667fe84633d3
SHA512f3c822e44873df864c60a517a06ea02541bd1de5d1a49232cc3ffbfb91acd46c8eb812bd0b1cbd2aa29aaa39014394956926db89bb558a707744c13f815bd072