Analysis
-
max time kernel
125s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:13
Static task
static1
Behavioral task
behavioral1
Sample
0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe
Resource
win10v2004-en-20220112
General
-
Target
0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe
-
Size
36KB
-
MD5
515b5e484df24730eb30a6aa669d2a06
-
SHA1
b1b1a3ae6f0d9b02db71f6c87f79d0908d791124
-
SHA256
0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe
-
SHA512
f1da061741003ee196bc7c56118c90dd6cafb942d98d9ca9ae613db44187cce753e7d19fccc0abc56c1387c7bc84ce593dac664029400176dda1cc38b682a4c8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 388 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exepid process 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.execmd.exedescription pid process target process PID 1684 wrote to memory of 1636 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe MediaCenter.exe PID 1684 wrote to memory of 1636 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe MediaCenter.exe PID 1684 wrote to memory of 1636 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe MediaCenter.exe PID 1684 wrote to memory of 1636 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe MediaCenter.exe PID 1684 wrote to memory of 388 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe cmd.exe PID 1684 wrote to memory of 388 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe cmd.exe PID 1684 wrote to memory of 388 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe cmd.exe PID 1684 wrote to memory of 388 1684 0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe cmd.exe PID 388 wrote to memory of 432 388 cmd.exe PING.EXE PID 388 wrote to memory of 432 388 cmd.exe PING.EXE PID 388 wrote to memory of 432 388 cmd.exe PING.EXE PID 388 wrote to memory of 432 388 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe"C:\Users\Admin\AppData\Local\Temp\0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e2a84cf5da1f7ddf65f4dd4c495be7b6a5b712d532c3e51cd6e0094654ef7fe.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dbfd5bc2e4cec620d3e74a63607b716c
SHA19ed57b320ed9f74244ef0a366ba67d4e7abd3e3b
SHA256581ac5313545928e6882c1fe9d674d896cc07d0474ecd8ba4cedc92f7e66966d
SHA51213b812d958b2605779542bc13da0d58108e14831cf133f273f17da1e1689c87e8743023a95943379341567e36f4573e459f8fec3fb04fbd8d4eee6faf99fb9be
-
MD5
dbfd5bc2e4cec620d3e74a63607b716c
SHA19ed57b320ed9f74244ef0a366ba67d4e7abd3e3b
SHA256581ac5313545928e6882c1fe9d674d896cc07d0474ecd8ba4cedc92f7e66966d
SHA51213b812d958b2605779542bc13da0d58108e14831cf133f273f17da1e1689c87e8743023a95943379341567e36f4573e459f8fec3fb04fbd8d4eee6faf99fb9be
-
MD5
dbfd5bc2e4cec620d3e74a63607b716c
SHA19ed57b320ed9f74244ef0a366ba67d4e7abd3e3b
SHA256581ac5313545928e6882c1fe9d674d896cc07d0474ecd8ba4cedc92f7e66966d
SHA51213b812d958b2605779542bc13da0d58108e14831cf133f273f17da1e1689c87e8743023a95943379341567e36f4573e459f8fec3fb04fbd8d4eee6faf99fb9be