Analysis
-
max time kernel
144s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:57
Static task
static1
Behavioral task
behavioral1
Sample
0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe
Resource
win10v2004-en-20220113
General
-
Target
0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe
-
Size
35KB
-
MD5
f329a4ced326ca4047ad553b9a436e74
-
SHA1
2cba78fdde86aa5fcbc640894dc1d017d7cb04ba
-
SHA256
0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde
-
SHA512
1eed19bd5b8ba26af07a04e2c56f9ad2fe3402ed764b282665032c5ebdd4b179a12f24b17bb297623a8ec57beb9a0331e80ac50c5d1e7ff3d467e644a19a4fc8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1292 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1180 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exepid process 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exedescription pid process Token: SeIncBasePriorityPrivilege 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.execmd.exedescription pid process target process PID 1448 wrote to memory of 1292 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe MediaCenter.exe PID 1448 wrote to memory of 1180 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe cmd.exe PID 1448 wrote to memory of 1180 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe cmd.exe PID 1448 wrote to memory of 1180 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe cmd.exe PID 1448 wrote to memory of 1180 1448 0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe cmd.exe PID 1180 wrote to memory of 1096 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1096 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1096 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1096 1180 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe"C:\Users\Admin\AppData\Local\Temp\0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c1da19629d44ad5faef78517744e08edbb15c66f480bab66a2a2ed4306dbcde.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cde4507c75d2ebcfbf6325f282a67525
SHA1ee36ca25b0caa186fd2c3563788aa0419cb10d76
SHA25607d83a44d24f584d059d02517c28982643d0cbf47c8bc73c14824e54bd50010d
SHA5124fbbf1a6dbba8a3acaa3a272bd8bdff378b6a781bf3c5a744e50171dc1f71b7ec9d6f0b2dc2a2fbc802d839e8a20208ed7cc4cf63cd00f95ea6f0a016cf29f12
-
MD5
cde4507c75d2ebcfbf6325f282a67525
SHA1ee36ca25b0caa186fd2c3563788aa0419cb10d76
SHA25607d83a44d24f584d059d02517c28982643d0cbf47c8bc73c14824e54bd50010d
SHA5124fbbf1a6dbba8a3acaa3a272bd8bdff378b6a781bf3c5a744e50171dc1f71b7ec9d6f0b2dc2a2fbc802d839e8a20208ed7cc4cf63cd00f95ea6f0a016cf29f12
-
MD5
cde4507c75d2ebcfbf6325f282a67525
SHA1ee36ca25b0caa186fd2c3563788aa0419cb10d76
SHA25607d83a44d24f584d059d02517c28982643d0cbf47c8bc73c14824e54bd50010d
SHA5124fbbf1a6dbba8a3acaa3a272bd8bdff378b6a781bf3c5a744e50171dc1f71b7ec9d6f0b2dc2a2fbc802d839e8a20208ed7cc4cf63cd00f95ea6f0a016cf29f12