Analysis
-
max time kernel
129s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe
Resource
win10v2004-en-20220113
General
-
Target
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe
-
Size
35KB
-
MD5
177c1fe091d873b91d104d973de8ed99
-
SHA1
7b009545d6cd0851fde4495ed8e2df60325379ac
-
SHA256
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22
-
SHA512
8037fe64d2ea24c6514041c1e714bb7ce79b432643507223de4157f7995708515f7c1913a5261a12bedfc0644b18dcaf22aa3b8a5b0425dd4b51587a80db48c1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exepid process 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exedescription pid process Token: SeIncBasePriorityPrivilege 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.execmd.exedescription pid process target process PID 1500 wrote to memory of 656 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe MediaCenter.exe PID 1500 wrote to memory of 820 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe cmd.exe PID 1500 wrote to memory of 820 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe cmd.exe PID 1500 wrote to memory of 820 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe cmd.exe PID 1500 wrote to memory of 820 1500 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe cmd.exe PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe"C:\Users\Admin\AppData\Local\Temp\0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3826ea849af9ec57f7e7930a7db4db27
SHA162c359799908642d409f831d24e0966f4e7ee1d1
SHA256280492c34b5cd763174876a44b6a93d1219710bae056041644ec99d8fd0defe7
SHA5129b3c75e7fa2f6cf8a4f29c6fde29463e9ba2b4e53b80c69ed05cd502fe042b4e008b9479893a0cf04b42e72bfbdd1bebd95c1756d90d0de659e199ffa9ca0e47
-
MD5
3826ea849af9ec57f7e7930a7db4db27
SHA162c359799908642d409f831d24e0966f4e7ee1d1
SHA256280492c34b5cd763174876a44b6a93d1219710bae056041644ec99d8fd0defe7
SHA5129b3c75e7fa2f6cf8a4f29c6fde29463e9ba2b4e53b80c69ed05cd502fe042b4e008b9479893a0cf04b42e72bfbdd1bebd95c1756d90d0de659e199ffa9ca0e47
-
MD5
3826ea849af9ec57f7e7930a7db4db27
SHA162c359799908642d409f831d24e0966f4e7ee1d1
SHA256280492c34b5cd763174876a44b6a93d1219710bae056041644ec99d8fd0defe7
SHA5129b3c75e7fa2f6cf8a4f29c6fde29463e9ba2b4e53b80c69ed05cd502fe042b4e008b9479893a0cf04b42e72bfbdd1bebd95c1756d90d0de659e199ffa9ca0e47