Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe
Resource
win10v2004-en-20220112
General
-
Target
0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe
-
Size
60KB
-
MD5
ed3883d25ab8fe16dbafe4c975cdee32
-
SHA1
5671ea38fa95a6cdffbf81fa2b3575e6bc2304a0
-
SHA256
0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb
-
SHA512
f03cfda2fe3e753bee48e92b0ba26133c83f0202faf89641a3ae9e510fd72ab37510139377acb2fef6a8021b9e724ef8f74e7e480c2e75e6444dc33a96a59cdd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1328 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1672 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exepid process 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exedescription pid process Token: SeIncBasePriorityPrivilege 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.execmd.exedescription pid process target process PID 1308 wrote to memory of 1328 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe MediaCenter.exe PID 1308 wrote to memory of 1328 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe MediaCenter.exe PID 1308 wrote to memory of 1328 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe MediaCenter.exe PID 1308 wrote to memory of 1328 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe MediaCenter.exe PID 1308 wrote to memory of 1672 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe cmd.exe PID 1308 wrote to memory of 1672 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe cmd.exe PID 1308 wrote to memory of 1672 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe cmd.exe PID 1308 wrote to memory of 1672 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe cmd.exe PID 1672 wrote to memory of 1120 1672 cmd.exe PING.EXE PID 1672 wrote to memory of 1120 1672 cmd.exe PING.EXE PID 1672 wrote to memory of 1120 1672 cmd.exe PING.EXE PID 1672 wrote to memory of 1120 1672 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe"C:\Users\Admin\AppData\Local\Temp\0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
153def4fc2ac1300e0d1a33d57197a4e
SHA198ae0026e71752a02af360368f7d906d6303241d
SHA25686010175f6327d9466ea42565d30e69fe3678f9b64d6f1fc91aef37fd54b097e
SHA512ad5e208f048db1e60f2e11db68ee08eba0562ce502758e5090c4eda8b70883af4f7088aefa23d213df6e5ac1e6b4b21a1ff5dac34719b43ec83807e9862f5783
-
MD5
153def4fc2ac1300e0d1a33d57197a4e
SHA198ae0026e71752a02af360368f7d906d6303241d
SHA25686010175f6327d9466ea42565d30e69fe3678f9b64d6f1fc91aef37fd54b097e
SHA512ad5e208f048db1e60f2e11db68ee08eba0562ce502758e5090c4eda8b70883af4f7088aefa23d213df6e5ac1e6b4b21a1ff5dac34719b43ec83807e9862f5783
-
MD5
153def4fc2ac1300e0d1a33d57197a4e
SHA198ae0026e71752a02af360368f7d906d6303241d
SHA25686010175f6327d9466ea42565d30e69fe3678f9b64d6f1fc91aef37fd54b097e
SHA512ad5e208f048db1e60f2e11db68ee08eba0562ce502758e5090c4eda8b70883af4f7088aefa23d213df6e5ac1e6b4b21a1ff5dac34719b43ec83807e9862f5783