Analysis
-
max time kernel
118s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe
Resource
win10v2004-en-20220113
General
-
Target
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe
-
Size
60KB
-
MD5
601cd69fe8641d28f847ea638e0e2523
-
SHA1
8b52f880097f48d899c202cd73d9dea76be99d57
-
SHA256
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a
-
SHA512
3bd037b294c5610c6a6ab99f90f780f0edf3e9f620410c60badb97262944810f5413bbd684f79c1fc46e0663c35697b7549209881063f580efcc48dabfc67ccc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1480 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 364 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exepid process 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.execmd.exedescription pid process target process PID 1592 wrote to memory of 1480 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe MediaCenter.exe PID 1592 wrote to memory of 1480 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe MediaCenter.exe PID 1592 wrote to memory of 1480 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe MediaCenter.exe PID 1592 wrote to memory of 1480 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe MediaCenter.exe PID 1592 wrote to memory of 364 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe cmd.exe PID 1592 wrote to memory of 364 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe cmd.exe PID 1592 wrote to memory of 364 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe cmd.exe PID 1592 wrote to memory of 364 1592 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe cmd.exe PID 364 wrote to memory of 1928 364 cmd.exe PING.EXE PID 364 wrote to memory of 1928 364 cmd.exe PING.EXE PID 364 wrote to memory of 1928 364 cmd.exe PING.EXE PID 364 wrote to memory of 1928 364 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe"C:\Users\Admin\AppData\Local\Temp\0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1bb4aeab68c654d675d309b40c0201b1
SHA1e84923af5d0ecabcb5b57a38727d684cf8a69604
SHA256dbb2b8a94164caf474b94642bf8fba732d3ec3f1fa74b4bfae8617b4b22fddfd
SHA512ab78526dc64d3f334b96c96115f5ce59aac7d22f48d3fcc04c78bf1d3a8daa5d22e45c1e79fe0340137bdce97459494f5c4acc0f7ffa1371d3c3ac61cee31d97
-
MD5
1bb4aeab68c654d675d309b40c0201b1
SHA1e84923af5d0ecabcb5b57a38727d684cf8a69604
SHA256dbb2b8a94164caf474b94642bf8fba732d3ec3f1fa74b4bfae8617b4b22fddfd
SHA512ab78526dc64d3f334b96c96115f5ce59aac7d22f48d3fcc04c78bf1d3a8daa5d22e45c1e79fe0340137bdce97459494f5c4acc0f7ffa1371d3c3ac61cee31d97
-
MD5
1bb4aeab68c654d675d309b40c0201b1
SHA1e84923af5d0ecabcb5b57a38727d684cf8a69604
SHA256dbb2b8a94164caf474b94642bf8fba732d3ec3f1fa74b4bfae8617b4b22fddfd
SHA512ab78526dc64d3f334b96c96115f5ce59aac7d22f48d3fcc04c78bf1d3a8daa5d22e45c1e79fe0340137bdce97459494f5c4acc0f7ffa1371d3c3ac61cee31d97