Analysis
-
max time kernel
153s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe
Resource
win10v2004-en-20220112
General
-
Target
0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe
-
Size
35KB
-
MD5
244d342e008222dbd8f23ae275ee9cd9
-
SHA1
5ffd3a6ec1e05b0dc69cbd1b73a1fe09fce115c6
-
SHA256
0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4
-
SHA512
0e18f5cb71888f68868705f5e333056e110022c309b7ea5712cbb0226e3c3504f0123c2cf7ae0895485da8c3bf76d425aafad13310ad5a2401dc764453e73bec
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exepid process 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.execmd.exedescription pid process target process PID 1608 wrote to memory of 1588 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe MediaCenter.exe PID 1608 wrote to memory of 1980 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe cmd.exe PID 1608 wrote to memory of 1980 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe cmd.exe PID 1608 wrote to memory of 1980 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe cmd.exe PID 1608 wrote to memory of 1980 1608 0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe cmd.exe PID 1980 wrote to memory of 1356 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1356 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1356 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1356 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe"C:\Users\Admin\AppData\Local\Temp\0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c07aafe3da9e4437ca8d51292d57d0b62ad8c83ead5a5b92d762f6ac84af8d4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
439b7538464e64a82b97299c2eb58062
SHA18957d5a493d77193860fa2a2a737411625c017e1
SHA256aaad4011b01696eb3f28dfc035a9ff814025d7b449e85ccb60ca28e3c158e5bd
SHA512bad8bf11e2a851e6ffcbd528897bb68b0ff99f2b063909f452db4fef0809cb94ae73e96569144ab53be47311e2dc3d639b3cf406a524ba272e60ae9a547d6e23
-
MD5
439b7538464e64a82b97299c2eb58062
SHA18957d5a493d77193860fa2a2a737411625c017e1
SHA256aaad4011b01696eb3f28dfc035a9ff814025d7b449e85ccb60ca28e3c158e5bd
SHA512bad8bf11e2a851e6ffcbd528897bb68b0ff99f2b063909f452db4fef0809cb94ae73e96569144ab53be47311e2dc3d639b3cf406a524ba272e60ae9a547d6e23
-
MD5
439b7538464e64a82b97299c2eb58062
SHA18957d5a493d77193860fa2a2a737411625c017e1
SHA256aaad4011b01696eb3f28dfc035a9ff814025d7b449e85ccb60ca28e3c158e5bd
SHA512bad8bf11e2a851e6ffcbd528897bb68b0ff99f2b063909f452db4fef0809cb94ae73e96569144ab53be47311e2dc3d639b3cf406a524ba272e60ae9a547d6e23