Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe
Resource
win10v2004-en-20220113
General
-
Target
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe
-
Size
58KB
-
MD5
4661d18fd397591b163c12b37d282dd0
-
SHA1
7f8d51a8d11075704a6e82db37e86da0f2e83606
-
SHA256
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134
-
SHA512
f5de2009ee0fa99765e9683b083c6fcd14d1f4e9d18d97a231b8487ac36c54848a02acd9c1e24c41eb3b9b72feffaa6a4503c7bf51e02891b5b3f97988a6b10a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 792 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 932 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exepid process 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.execmd.exedescription pid process target process PID 1672 wrote to memory of 792 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe MediaCenter.exe PID 1672 wrote to memory of 932 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe cmd.exe PID 1672 wrote to memory of 932 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe cmd.exe PID 1672 wrote to memory of 932 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe cmd.exe PID 1672 wrote to memory of 932 1672 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe cmd.exe PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe"C:\Users\Admin\AppData\Local\Temp\0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6282a223dc865c2c2d91987977ef89da
SHA192960e24fdd4ec575836f2010e3de50e9494167f
SHA2569778ed296deff4a01c1300583277d20bf388a47fd95373dcc8bb68ca822bea06
SHA5129458c242e64600d103fede7e50263f5861680feb3c903f662b8c5f3e2a3a7ace28aca9c4b5bc8da2ccbee81f5482e6d4f4209f0c3094252261b1963c8c3b8622
-
MD5
6282a223dc865c2c2d91987977ef89da
SHA192960e24fdd4ec575836f2010e3de50e9494167f
SHA2569778ed296deff4a01c1300583277d20bf388a47fd95373dcc8bb68ca822bea06
SHA5129458c242e64600d103fede7e50263f5861680feb3c903f662b8c5f3e2a3a7ace28aca9c4b5bc8da2ccbee81f5482e6d4f4209f0c3094252261b1963c8c3b8622
-
MD5
6282a223dc865c2c2d91987977ef89da
SHA192960e24fdd4ec575836f2010e3de50e9494167f
SHA2569778ed296deff4a01c1300583277d20bf388a47fd95373dcc8bb68ca822bea06
SHA5129458c242e64600d103fede7e50263f5861680feb3c903f662b8c5f3e2a3a7ace28aca9c4b5bc8da2ccbee81f5482e6d4f4209f0c3094252261b1963c8c3b8622