Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:07
Static task
static1
Behavioral task
behavioral1
Sample
0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe
Resource
win10v2004-en-20220113
General
-
Target
0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe
-
Size
36KB
-
MD5
ecf732d0110d7b3236a1ad4e3dbe39dc
-
SHA1
bfc404e8ba25d0341187c71e8299c42bd01200ed
-
SHA256
0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc
-
SHA512
b921dbd88659fc42f8788f485422251077d7b3e22ad9ad84455d6e59f120a2e3f97f6816c250984d125865b8883d74f4b52e3fb9adff7b114dffae8743db37a0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 752 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exepid process 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.execmd.exedescription pid process target process PID 1684 wrote to memory of 1636 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe MediaCenter.exe PID 1684 wrote to memory of 1636 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe MediaCenter.exe PID 1684 wrote to memory of 1636 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe MediaCenter.exe PID 1684 wrote to memory of 1636 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe MediaCenter.exe PID 1684 wrote to memory of 752 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe cmd.exe PID 1684 wrote to memory of 752 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe cmd.exe PID 1684 wrote to memory of 752 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe cmd.exe PID 1684 wrote to memory of 752 1684 0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe cmd.exe PID 752 wrote to memory of 1440 752 cmd.exe PING.EXE PID 752 wrote to memory of 1440 752 cmd.exe PING.EXE PID 752 wrote to memory of 1440 752 cmd.exe PING.EXE PID 752 wrote to memory of 1440 752 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe"C:\Users\Admin\AppData\Local\Temp\0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e725990c4b037c1c4e8b0566bdbb24c3373fc14132218cd23a92415e72cc3bc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b7c5e0d15261637957e7954e603c6470
SHA1af869f125ccbd369c10f25289a13b564f088cf28
SHA2564585d6adc1404485669b7d710ccd5a9d32283a20f9dd01c8ed871ee4ef8eed16
SHA512facb3622f31ebd31d1901eafc42ddbb36860e232566bfb40ddb960a0eb6388e665755ee254fbb19705b37a24150c6ba69cd3eb3609c29db164260b37dae87296
-
MD5
b7c5e0d15261637957e7954e603c6470
SHA1af869f125ccbd369c10f25289a13b564f088cf28
SHA2564585d6adc1404485669b7d710ccd5a9d32283a20f9dd01c8ed871ee4ef8eed16
SHA512facb3622f31ebd31d1901eafc42ddbb36860e232566bfb40ddb960a0eb6388e665755ee254fbb19705b37a24150c6ba69cd3eb3609c29db164260b37dae87296
-
MD5
b7c5e0d15261637957e7954e603c6470
SHA1af869f125ccbd369c10f25289a13b564f088cf28
SHA2564585d6adc1404485669b7d710ccd5a9d32283a20f9dd01c8ed871ee4ef8eed16
SHA512facb3622f31ebd31d1901eafc42ddbb36860e232566bfb40ddb960a0eb6388e665755ee254fbb19705b37a24150c6ba69cd3eb3609c29db164260b37dae87296