Analysis
-
max time kernel
123s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe
Resource
win10v2004-en-20220112
General
-
Target
0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe
-
Size
58KB
-
MD5
5c13701293bd0ddc91647a090aa074ba
-
SHA1
27a6ab7ee3c7cb38f161cddcb3798c6742c65f1d
-
SHA256
0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7
-
SHA512
c74832b3713e353136e68871ac8f7a43acd58c56a39c5a2a58fb15b116c3f72077e189a25bb28be3871d7003f804e8b898052777d14fc026a0e986a315b06f98
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1564 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 364 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exepid process 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exedescription pid process Token: SeIncBasePriorityPrivilege 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.execmd.exedescription pid process target process PID 972 wrote to memory of 1564 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe MediaCenter.exe PID 972 wrote to memory of 1564 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe MediaCenter.exe PID 972 wrote to memory of 1564 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe MediaCenter.exe PID 972 wrote to memory of 1564 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe MediaCenter.exe PID 972 wrote to memory of 364 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe cmd.exe PID 972 wrote to memory of 364 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe cmd.exe PID 972 wrote to memory of 364 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe cmd.exe PID 972 wrote to memory of 364 972 0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe cmd.exe PID 364 wrote to memory of 2024 364 cmd.exe PING.EXE PID 364 wrote to memory of 2024 364 cmd.exe PING.EXE PID 364 wrote to memory of 2024 364 cmd.exe PING.EXE PID 364 wrote to memory of 2024 364 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe"C:\Users\Admin\AppData\Local\Temp\0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e1d4ffec170d180725d0458ebe47a317d15dd7abf4a3d3f16f8931097d2c8d7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b3b4d6460a5115c3515d08e6673966ca
SHA11c3f9071216c6efa7fc95e0399aae0f25764a7f7
SHA25649c48288153c84013d8b181a83206c01d7fa90723ba105fa1c8afffb772a2294
SHA5123c21b6700d3fcb23ba5b738e24ad528632271ac27adbf2007137553afae4d496827cb449cc6a9df56431c4bc1637598be981c3e4c6b1111f5078e39c193f5152
-
MD5
b3b4d6460a5115c3515d08e6673966ca
SHA11c3f9071216c6efa7fc95e0399aae0f25764a7f7
SHA25649c48288153c84013d8b181a83206c01d7fa90723ba105fa1c8afffb772a2294
SHA5123c21b6700d3fcb23ba5b738e24ad528632271ac27adbf2007137553afae4d496827cb449cc6a9df56431c4bc1637598be981c3e4c6b1111f5078e39c193f5152
-
MD5
b3b4d6460a5115c3515d08e6673966ca
SHA11c3f9071216c6efa7fc95e0399aae0f25764a7f7
SHA25649c48288153c84013d8b181a83206c01d7fa90723ba105fa1c8afffb772a2294
SHA5123c21b6700d3fcb23ba5b738e24ad528632271ac27adbf2007137553afae4d496827cb449cc6a9df56431c4bc1637598be981c3e4c6b1111f5078e39c193f5152