Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe
Resource
win10v2004-en-20220113
General
-
Target
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe
-
Size
36KB
-
MD5
b0b85b1dc59aa8d3e8185b2e53b438d3
-
SHA1
0dde149d9940268fc58ec89c445db67f23a1a2d9
-
SHA256
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2
-
SHA512
a3ad963bbc50f8e43dcbaac78cc5541655d105c9321103fe9874c4959df042387ff365ed2a00f093a2a3fc312e95ae86cadf0bfdfdd9f2b0ef3621b09ced11f6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1860 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1972 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exepid process 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exedescription pid process Token: SeIncBasePriorityPrivilege 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.execmd.exedescription pid process target process PID 612 wrote to memory of 1860 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe MediaCenter.exe PID 612 wrote to memory of 1860 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe MediaCenter.exe PID 612 wrote to memory of 1860 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe MediaCenter.exe PID 612 wrote to memory of 1860 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe MediaCenter.exe PID 612 wrote to memory of 1972 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe cmd.exe PID 612 wrote to memory of 1972 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe cmd.exe PID 612 wrote to memory of 1972 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe cmd.exe PID 612 wrote to memory of 1972 612 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe cmd.exe PID 1972 wrote to memory of 1044 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1044 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1044 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1044 1972 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe"C:\Users\Admin\AppData\Local\Temp\0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
32568b052796c85cbfeea05aaa5a35d0
SHA10a0112ce6947554dc29c73396a9282ece66edf82
SHA256d887d39f1888ae1df5154c6a9f4e6c662c3fcadf9fda90f7e4d9af08ab6d52b7
SHA51203edaf00a8afef107e576e92f1261d614436c9a2a1daa95025e7598dcb2041ad0356ce9e60f2d57c966900d565f85e1a86d071ec23f28f91cc344a67746d7456
-
MD5
32568b052796c85cbfeea05aaa5a35d0
SHA10a0112ce6947554dc29c73396a9282ece66edf82
SHA256d887d39f1888ae1df5154c6a9f4e6c662c3fcadf9fda90f7e4d9af08ab6d52b7
SHA51203edaf00a8afef107e576e92f1261d614436c9a2a1daa95025e7598dcb2041ad0356ce9e60f2d57c966900d565f85e1a86d071ec23f28f91cc344a67746d7456
-
MD5
32568b052796c85cbfeea05aaa5a35d0
SHA10a0112ce6947554dc29c73396a9282ece66edf82
SHA256d887d39f1888ae1df5154c6a9f4e6c662c3fcadf9fda90f7e4d9af08ab6d52b7
SHA51203edaf00a8afef107e576e92f1261d614436c9a2a1daa95025e7598dcb2041ad0356ce9e60f2d57c966900d565f85e1a86d071ec23f28f91cc344a67746d7456