Analysis
-
max time kernel
123s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe
Resource
win10v2004-en-20220112
General
-
Target
0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe
-
Size
36KB
-
MD5
59f9cda8b328c70e38c267402fc47073
-
SHA1
4529eaceefa361af43aeff3ddf7cb02ae416134e
-
SHA256
0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51
-
SHA512
8fb82dd4b85af645804c535d5ba9681768c90a98c9a0ce42f6c811a66d4cc639927753698370da600f09d3c5aec53cc7112cd82067114516e6d79608ed26f07f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1220 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exepid process 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exedescription pid process Token: SeIncBasePriorityPrivilege 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.execmd.exedescription pid process target process PID 1512 wrote to memory of 1744 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe MediaCenter.exe PID 1512 wrote to memory of 1220 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe cmd.exe PID 1512 wrote to memory of 1220 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe cmd.exe PID 1512 wrote to memory of 1220 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe cmd.exe PID 1512 wrote to memory of 1220 1512 0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe cmd.exe PID 1220 wrote to memory of 1328 1220 cmd.exe PING.EXE PID 1220 wrote to memory of 1328 1220 cmd.exe PING.EXE PID 1220 wrote to memory of 1328 1220 cmd.exe PING.EXE PID 1220 wrote to memory of 1328 1220 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe"C:\Users\Admin\AppData\Local\Temp\0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e5f5d373e4283271950b6f5d15b7f5400e2bd1b815c8931e203d13a33d51f51.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9e86996677bbe284195f47ff8aba0463
SHA1a9ed36c5ec58bfa599a6371c396cc28f9e9209aa
SHA2560f050812117803c8b73ac2edfd4e833c518d7d6cc1eea5b0c7bbf1c03903c375
SHA512ded6f38f11bec0a27d6661c6ba40da92286cf204e18b2d2d9e23a27548dc02f5c3e49728a6bea02cba0b24c72fd5bfeecb49f9ce49e9b8c459a76bebe8229aad
-
MD5
9e86996677bbe284195f47ff8aba0463
SHA1a9ed36c5ec58bfa599a6371c396cc28f9e9209aa
SHA2560f050812117803c8b73ac2edfd4e833c518d7d6cc1eea5b0c7bbf1c03903c375
SHA512ded6f38f11bec0a27d6661c6ba40da92286cf204e18b2d2d9e23a27548dc02f5c3e49728a6bea02cba0b24c72fd5bfeecb49f9ce49e9b8c459a76bebe8229aad
-
MD5
9e86996677bbe284195f47ff8aba0463
SHA1a9ed36c5ec58bfa599a6371c396cc28f9e9209aa
SHA2560f050812117803c8b73ac2edfd4e833c518d7d6cc1eea5b0c7bbf1c03903c375
SHA512ded6f38f11bec0a27d6661c6ba40da92286cf204e18b2d2d9e23a27548dc02f5c3e49728a6bea02cba0b24c72fd5bfeecb49f9ce49e9b8c459a76bebe8229aad