Analysis
-
max time kernel
121s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:11
Static task
static1
Behavioral task
behavioral1
Sample
0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe
Resource
win10v2004-en-20220112
General
-
Target
0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe
-
Size
60KB
-
MD5
dfe55ede9c6d0a0230c2abc7185feeaa
-
SHA1
bb43975205c0ca74c91eb37d2a101e8a0a3617ad
-
SHA256
0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3
-
SHA512
2e278030ae5eec3f38c9fafee14b9ba59d9dda5b85368a0bfbe88ed03cbfd052436887c45b05a9867c03db79f5c37eb1c27216021b27a226f83bcb715e615894
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exepid process 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exedescription pid process Token: SeIncBasePriorityPrivilege 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe MediaCenter.exe PID 956 wrote to memory of 1172 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe cmd.exe PID 956 wrote to memory of 1172 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe cmd.exe PID 956 wrote to memory of 1172 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe cmd.exe PID 956 wrote to memory of 1172 956 0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe cmd.exe PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe"C:\Users\Admin\AppData\Local\Temp\0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e40b11f531b82ab5918e882e2ffbf8cc5db98c4d33269574d18deae818e94c3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
76ffa0f0e7e088f12ca20e3858108475
SHA134e8e4de66e133247a8f1fdb3f845be6427f2c03
SHA256d116f6b5046df783d9640283b350e3cd5a1c61f7cf71e952309e2db31104194a
SHA512959c93457111078dc29f3e001d7cd498637cdb4c3cd2951850ded45cb07b34a8ae2733884095ac4039f8be36bc891457d41c42a862c7279acc91dd173b5842ed
-
MD5
76ffa0f0e7e088f12ca20e3858108475
SHA134e8e4de66e133247a8f1fdb3f845be6427f2c03
SHA256d116f6b5046df783d9640283b350e3cd5a1c61f7cf71e952309e2db31104194a
SHA512959c93457111078dc29f3e001d7cd498637cdb4c3cd2951850ded45cb07b34a8ae2733884095ac4039f8be36bc891457d41c42a862c7279acc91dd173b5842ed
-
MD5
76ffa0f0e7e088f12ca20e3858108475
SHA134e8e4de66e133247a8f1fdb3f845be6427f2c03
SHA256d116f6b5046df783d9640283b350e3cd5a1c61f7cf71e952309e2db31104194a
SHA512959c93457111078dc29f3e001d7cd498637cdb4c3cd2951850ded45cb07b34a8ae2733884095ac4039f8be36bc891457d41c42a862c7279acc91dd173b5842ed