Analysis
-
max time kernel
123s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe
Resource
win10v2004-en-20220113
General
-
Target
0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe
-
Size
60KB
-
MD5
8632b39c94f22b37ee971ee975a0c591
-
SHA1
dd9334a24935476341f19b2c32707959d7fb3db1
-
SHA256
0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6
-
SHA512
40f9c16865a5ff7b4e5de47b2b886def322b9e4905c5a29bf270f533ff797a6cfd77255f5776382b4d8bb56f9dbaf8af781e3989e3ce1877d40934f5c87120e5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1924 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exepid process 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exedescription pid process Token: SeIncBasePriorityPrivilege 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.execmd.exedescription pid process target process PID 1040 wrote to memory of 1924 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe MediaCenter.exe PID 1040 wrote to memory of 432 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe cmd.exe PID 1040 wrote to memory of 432 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe cmd.exe PID 1040 wrote to memory of 432 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe cmd.exe PID 1040 wrote to memory of 432 1040 0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe cmd.exe PID 432 wrote to memory of 1856 432 cmd.exe PING.EXE PID 432 wrote to memory of 1856 432 cmd.exe PING.EXE PID 432 wrote to memory of 1856 432 cmd.exe PING.EXE PID 432 wrote to memory of 1856 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe"C:\Users\Admin\AppData\Local\Temp\0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e1641e0cb465c98387699d9635de009fbdae7372f106ac29ec2332eed1d0ca6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
feaa81f3022637b5f5e5e046a611ad52
SHA1f5bdfb1d4782351c68d30d3071fbfbecc251e379
SHA2566626233fa1e22e6cfb660462149eb94a946ac7e36d1eeced54e2cd3eee59b22a
SHA51225389297cf09f304f4e2014a84aba657005661550d3a70c09fc496922a460dd9b9fda9c36fd2d53cb3d14c0afbe4d4c3b39d719e11821fc8d3b0744e46827039
-
MD5
feaa81f3022637b5f5e5e046a611ad52
SHA1f5bdfb1d4782351c68d30d3071fbfbecc251e379
SHA2566626233fa1e22e6cfb660462149eb94a946ac7e36d1eeced54e2cd3eee59b22a
SHA51225389297cf09f304f4e2014a84aba657005661550d3a70c09fc496922a460dd9b9fda9c36fd2d53cb3d14c0afbe4d4c3b39d719e11821fc8d3b0744e46827039
-
MD5
feaa81f3022637b5f5e5e046a611ad52
SHA1f5bdfb1d4782351c68d30d3071fbfbecc251e379
SHA2566626233fa1e22e6cfb660462149eb94a946ac7e36d1eeced54e2cd3eee59b22a
SHA51225389297cf09f304f4e2014a84aba657005661550d3a70c09fc496922a460dd9b9fda9c36fd2d53cb3d14c0afbe4d4c3b39d719e11821fc8d3b0744e46827039