Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe
Resource
win10v2004-en-20220113
General
-
Target
0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe
-
Size
58KB
-
MD5
d971ac16f5269f42e7ab764a283387fa
-
SHA1
b5cc8d439e46fe042eafbe6465dbd56788c884a3
-
SHA256
0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12
-
SHA512
6bf274ce369bfd996e78ebe1622be80288870e72db1ec012c9dbf83edc08a692120511fe7597f70769be7c42c38386ccee4af4a5eefdeff30529f7a70c545c74
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1220 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1640 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exepid process 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.execmd.exedescription pid process target process PID 1624 wrote to memory of 1220 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe MediaCenter.exe PID 1624 wrote to memory of 1640 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe cmd.exe PID 1624 wrote to memory of 1640 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe cmd.exe PID 1624 wrote to memory of 1640 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe cmd.exe PID 1624 wrote to memory of 1640 1624 0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe cmd.exe PID 1640 wrote to memory of 1648 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1648 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1648 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1648 1640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe"C:\Users\Admin\AppData\Local\Temp\0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c0d214027e3b5d8f1434550d2cb513155a68b2b6612e2d473d0a17a8368dd12.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e9d52157521beb442fc3a499b3a187fd
SHA10918a4f5c5f2c75dd6fe4a009a2a46fe49dd4d8f
SHA2569ad62429fcfd0c710ce3a65b53c62045a813c5b37db9efe55afdd36ef619044d
SHA5128958e13d9ad3405e0866f899774ec2dadd38b1840729c1ef28ecfd7378e61492c5d14dd022b5550a24f0fa228b495e924ea192e7ae4b19079a71a552eca90db9
-
MD5
e9d52157521beb442fc3a499b3a187fd
SHA10918a4f5c5f2c75dd6fe4a009a2a46fe49dd4d8f
SHA2569ad62429fcfd0c710ce3a65b53c62045a813c5b37db9efe55afdd36ef619044d
SHA5128958e13d9ad3405e0866f899774ec2dadd38b1840729c1ef28ecfd7378e61492c5d14dd022b5550a24f0fa228b495e924ea192e7ae4b19079a71a552eca90db9
-
MD5
e9d52157521beb442fc3a499b3a187fd
SHA10918a4f5c5f2c75dd6fe4a009a2a46fe49dd4d8f
SHA2569ad62429fcfd0c710ce3a65b53c62045a813c5b37db9efe55afdd36ef619044d
SHA5128958e13d9ad3405e0866f899774ec2dadd38b1840729c1ef28ecfd7378e61492c5d14dd022b5550a24f0fa228b495e924ea192e7ae4b19079a71a552eca90db9