Analysis
-
max time kernel
153s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe
Resource
win10v2004-en-20220112
General
-
Target
0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe
-
Size
58KB
-
MD5
938279db4df8db64a07cda2042dff616
-
SHA1
dcc0944bef91ee8bfb3871431b7d49708746feff
-
SHA256
0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6
-
SHA512
46f95c2170ed2253df34d3ba5fa9a0003d4b321fa21e6ec0f7fd06ec664a3155a7d85c4a80955723ff6e93bacc1ca5008bcae6da7f880d4bf5bb413b9711c79d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 304 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1692 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exepid process 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exedescription pid process Token: SeIncBasePriorityPrivilege 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.execmd.exedescription pid process target process PID 1772 wrote to memory of 304 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe MediaCenter.exe PID 1772 wrote to memory of 1692 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe cmd.exe PID 1772 wrote to memory of 1692 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe cmd.exe PID 1772 wrote to memory of 1692 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe cmd.exe PID 1772 wrote to memory of 1692 1772 0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe cmd.exe PID 1692 wrote to memory of 740 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 740 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 740 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 740 1692 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe"C:\Users\Admin\AppData\Local\Temp\0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c00d2909bccd9598707c32ad7fed43df9604c3ac47fab13738771f4e6016ec6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7a90a0441646e330a9f3b6de8d902a26
SHA11f8620517860713054f6f07dc3667240bfd99378
SHA25687eef3feb5534fe7f7825e6f24ff9a1ea320c6d529bc301114b964918eb7991e
SHA512a97458489979450ef3887b02f843ef151a2b6baaacdb41c6b7260fca67c848f4a693b26920354510df7c0db65e9187ec116d44773aa995ec4c2750703c706f9c
-
MD5
7a90a0441646e330a9f3b6de8d902a26
SHA11f8620517860713054f6f07dc3667240bfd99378
SHA25687eef3feb5534fe7f7825e6f24ff9a1ea320c6d529bc301114b964918eb7991e
SHA512a97458489979450ef3887b02f843ef151a2b6baaacdb41c6b7260fca67c848f4a693b26920354510df7c0db65e9187ec116d44773aa995ec4c2750703c706f9c
-
MD5
7a90a0441646e330a9f3b6de8d902a26
SHA11f8620517860713054f6f07dc3667240bfd99378
SHA25687eef3feb5534fe7f7825e6f24ff9a1ea320c6d529bc301114b964918eb7991e
SHA512a97458489979450ef3887b02f843ef151a2b6baaacdb41c6b7260fca67c848f4a693b26920354510df7c0db65e9187ec116d44773aa995ec4c2750703c706f9c