Analysis
-
max time kernel
146s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe
Resource
win10v2004-en-20220113
General
-
Target
0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe
-
Size
36KB
-
MD5
ff6b201d79106db9e2c24f3663fe479b
-
SHA1
44f07830f2e0844f24c975e66bece465a187481a
-
SHA256
0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f
-
SHA512
a65653b0742b6c7a04048531fe7fb8d9acc06a64c1a69ef462645bb84971be9f774b6ed962809b89cbbd49ae4cbd3cd789a422b28283bc3b4932db4c9ed90456
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1480 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1012 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exepid process 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exedescription pid process Token: SeIncBasePriorityPrivilege 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.execmd.exedescription pid process target process PID 780 wrote to memory of 1480 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe MediaCenter.exe PID 780 wrote to memory of 1012 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe cmd.exe PID 780 wrote to memory of 1012 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe cmd.exe PID 780 wrote to memory of 1012 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe cmd.exe PID 780 wrote to memory of 1012 780 0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe cmd.exe PID 1012 wrote to memory of 1888 1012 cmd.exe PING.EXE PID 1012 wrote to memory of 1888 1012 cmd.exe PING.EXE PID 1012 wrote to memory of 1888 1012 cmd.exe PING.EXE PID 1012 wrote to memory of 1888 1012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe"C:\Users\Admin\AppData\Local\Temp\0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c305ac166124db69b4c1032d4b8bbe5b538ab5b4a28e5e76922efc4547e4b8f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7c01243cce6bf6ff5c4749f044182541
SHA18c9a96fcac581285049d117de9e2b2188ee62ccc
SHA25686463b88cd2ff46a933db2a078a65570e3c47d5a74b19f35eb4bbd62f46af4bd
SHA512a03759673ea406dc05a90b8ff96126849290bbfa3534d3914a2a25d6b0fee0a6883cd37580454e99aed667702f74ae12d581bfc77190a8207e2e969181772b2b
-
MD5
7c01243cce6bf6ff5c4749f044182541
SHA18c9a96fcac581285049d117de9e2b2188ee62ccc
SHA25686463b88cd2ff46a933db2a078a65570e3c47d5a74b19f35eb4bbd62f46af4bd
SHA512a03759673ea406dc05a90b8ff96126849290bbfa3534d3914a2a25d6b0fee0a6883cd37580454e99aed667702f74ae12d581bfc77190a8207e2e969181772b2b
-
MD5
7c01243cce6bf6ff5c4749f044182541
SHA18c9a96fcac581285049d117de9e2b2188ee62ccc
SHA25686463b88cd2ff46a933db2a078a65570e3c47d5a74b19f35eb4bbd62f46af4bd
SHA512a03759673ea406dc05a90b8ff96126849290bbfa3534d3914a2a25d6b0fee0a6883cd37580454e99aed667702f74ae12d581bfc77190a8207e2e969181772b2b