Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe
Resource
win10v2004-en-20220113
General
-
Target
0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe
-
Size
35KB
-
MD5
a7861d0a323c0cdad627a56bac53a2ab
-
SHA1
96ae972c0874e43efcbc1576a68474bba54f0812
-
SHA256
0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16
-
SHA512
fe03e899ba240a29e766f297252f5ed1fd29cb76def267d42b89c6dc9e828759cd64006b2f7b2d888cfc5f2b82ead75a6e12121c015effa157d3b84a9f4e4f2a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1944 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exepid process 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exedescription pid process Token: SeIncBasePriorityPrivilege 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.execmd.exedescription pid process target process PID 1712 wrote to memory of 1892 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe MediaCenter.exe PID 1712 wrote to memory of 1944 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe cmd.exe PID 1712 wrote to memory of 1944 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe cmd.exe PID 1712 wrote to memory of 1944 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe cmd.exe PID 1712 wrote to memory of 1944 1712 0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe cmd.exe PID 1944 wrote to memory of 1640 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1640 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1640 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1640 1944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe"C:\Users\Admin\AppData\Local\Temp\0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c2ba181ebfb4dee2f046505a37d3731933e5ddaf2632b4747a0292ca0598e16.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2a57f1fe53c9515d417c862c27438450
SHA126334099cf1ea3039bb7c8b92e6332e3ee007422
SHA2563860d63897affe8db5593bfc0a6617ab51b9812710ff1741c978af8928c9c945
SHA512698f78087aab99b81f2b1fcbc5b20f87cbd92f8b280314981c266f7af781a968c5aa1b2295bd198cc9b8c2f5bd0170fac4c244d83c9c056ded8649fc6d41816d
-
MD5
2a57f1fe53c9515d417c862c27438450
SHA126334099cf1ea3039bb7c8b92e6332e3ee007422
SHA2563860d63897affe8db5593bfc0a6617ab51b9812710ff1741c978af8928c9c945
SHA512698f78087aab99b81f2b1fcbc5b20f87cbd92f8b280314981c266f7af781a968c5aa1b2295bd198cc9b8c2f5bd0170fac4c244d83c9c056ded8649fc6d41816d
-
MD5
2a57f1fe53c9515d417c862c27438450
SHA126334099cf1ea3039bb7c8b92e6332e3ee007422
SHA2563860d63897affe8db5593bfc0a6617ab51b9812710ff1741c978af8928c9c945
SHA512698f78087aab99b81f2b1fcbc5b20f87cbd92f8b280314981c266f7af781a968c5aa1b2295bd198cc9b8c2f5bd0170fac4c244d83c9c056ded8649fc6d41816d