Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe
Resource
win10v2004-en-20220113
General
-
Target
02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe
-
Size
58KB
-
MD5
bfd2de058b20381b79b6cccc650cf579
-
SHA1
0ec41654d8ad162700208c675d18f73e643b876a
-
SHA256
02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4
-
SHA512
3dd523aac03a347501dc1278f497c0d6234c099e913b4231b485151e96c2026ae8aefd4b83448e5ac64f12f853acaebbc2d5d351122b708bdede424c518cb979
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1468 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1320 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exepid process 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exedescription pid process Token: SeIncBasePriorityPrivilege 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.execmd.exedescription pid process target process PID 1296 wrote to memory of 1468 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe MediaCenter.exe PID 1296 wrote to memory of 1320 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe cmd.exe PID 1296 wrote to memory of 1320 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe cmd.exe PID 1296 wrote to memory of 1320 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe cmd.exe PID 1296 wrote to memory of 1320 1296 02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe cmd.exe PID 1320 wrote to memory of 392 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 392 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 392 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 392 1320 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe"C:\Users\Admin\AppData\Local\Temp\02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02cc7e7b59be8ad83fddf477153e5e60761234377711f2b5e44b7341d4d792f4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
851310f68b5ec0992a444c7918db14ae
SHA1c01a63ef5fe7dd4f19e75e5c3c11fa74be220ba9
SHA2567f5364c52c4542e0e35b663493159bfbd3580b867a9a5ec4240d1587ede623f1
SHA512d0032f35e3888cdae8954016e7c7226373fe8f5032e5f19bd31128f05f6ec8542c62dfd6677278e3e84ba512d36349bb34a9cbf3b07f3185f0f0a4d5f1dab1bc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
851310f68b5ec0992a444c7918db14ae
SHA1c01a63ef5fe7dd4f19e75e5c3c11fa74be220ba9
SHA2567f5364c52c4542e0e35b663493159bfbd3580b867a9a5ec4240d1587ede623f1
SHA512d0032f35e3888cdae8954016e7c7226373fe8f5032e5f19bd31128f05f6ec8542c62dfd6677278e3e84ba512d36349bb34a9cbf3b07f3185f0f0a4d5f1dab1bc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
851310f68b5ec0992a444c7918db14ae
SHA1c01a63ef5fe7dd4f19e75e5c3c11fa74be220ba9
SHA2567f5364c52c4542e0e35b663493159bfbd3580b867a9a5ec4240d1587ede623f1
SHA512d0032f35e3888cdae8954016e7c7226373fe8f5032e5f19bd31128f05f6ec8542c62dfd6677278e3e84ba512d36349bb34a9cbf3b07f3185f0f0a4d5f1dab1bc
-
memory/1296-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB