Analysis
-
max time kernel
156s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe
Resource
win10v2004-en-20220113
General
-
Target
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe
-
Size
60KB
-
MD5
3185e30ac7682e59881d4e5cd113dfd6
-
SHA1
4d641bf997e88258704caec4293e897ce2edff32
-
SHA256
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06
-
SHA512
e31dc247d990cd6332901f1b9f818d6c1dba4bbb67065f4ced4969ce5a7c019ee52f77e148981a09fd26f45d0bda28ca534fc59dd06bb80a26301c7d76f1eef9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1452 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exepid process 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exedescription pid process Token: SeIncBasePriorityPrivilege 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.execmd.exedescription pid process target process PID 1688 wrote to memory of 1452 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe MediaCenter.exe PID 1688 wrote to memory of 1452 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe MediaCenter.exe PID 1688 wrote to memory of 1452 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe MediaCenter.exe PID 1688 wrote to memory of 1452 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe MediaCenter.exe PID 1688 wrote to memory of 1796 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe cmd.exe PID 1688 wrote to memory of 1796 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe cmd.exe PID 1688 wrote to memory of 1796 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe cmd.exe PID 1688 wrote to memory of 1796 1688 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe cmd.exe PID 1796 wrote to memory of 1040 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1040 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1040 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1040 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe"C:\Users\Admin\AppData\Local\Temp\0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c8c1a557d08356ed3fc16ef2c45b6262
SHA17d99d18ec1ea67906d08985e4b4dfded0e07a932
SHA256d6e4132cce82cbc05b89f2bf88c05464e6b924e06111cf1a4f3188b2e696693f
SHA512483cfcdffb6c972f68de807f042ac40dbfaec9e0bd5c98cb3495fcd8cfadddd557addc2cedcc19264f27a19f62de35d04d77f53af5cd5d230488a230122e4533
-
MD5
c8c1a557d08356ed3fc16ef2c45b6262
SHA17d99d18ec1ea67906d08985e4b4dfded0e07a932
SHA256d6e4132cce82cbc05b89f2bf88c05464e6b924e06111cf1a4f3188b2e696693f
SHA512483cfcdffb6c972f68de807f042ac40dbfaec9e0bd5c98cb3495fcd8cfadddd557addc2cedcc19264f27a19f62de35d04d77f53af5cd5d230488a230122e4533
-
MD5
c8c1a557d08356ed3fc16ef2c45b6262
SHA17d99d18ec1ea67906d08985e4b4dfded0e07a932
SHA256d6e4132cce82cbc05b89f2bf88c05464e6b924e06111cf1a4f3188b2e696693f
SHA512483cfcdffb6c972f68de807f042ac40dbfaec9e0bd5c98cb3495fcd8cfadddd557addc2cedcc19264f27a19f62de35d04d77f53af5cd5d230488a230122e4533