Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe
Resource
win10v2004-en-20220113
General
-
Target
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe
-
Size
58KB
-
MD5
d07422e7dbff5c15061bc322ac3bede3
-
SHA1
57470e979ee481c9c24db103f3b6ec615cada286
-
SHA256
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd
-
SHA512
777ce6841d87266936819fa2afd0b4f4b6d9a9f7e7656cbdc47d14f2b724fbf1683ff06feb00ac0ce884e92bf1c228dca52f567e9498233588bf54607c20914e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1536 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 364 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exepid process 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.execmd.exedescription pid process target process PID 1684 wrote to memory of 1536 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe MediaCenter.exe PID 1684 wrote to memory of 1536 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe MediaCenter.exe PID 1684 wrote to memory of 1536 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe MediaCenter.exe PID 1684 wrote to memory of 1536 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe MediaCenter.exe PID 1684 wrote to memory of 364 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe cmd.exe PID 1684 wrote to memory of 364 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe cmd.exe PID 1684 wrote to memory of 364 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe cmd.exe PID 1684 wrote to memory of 364 1684 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe cmd.exe PID 364 wrote to memory of 1928 364 cmd.exe PING.EXE PID 364 wrote to memory of 1928 364 cmd.exe PING.EXE PID 364 wrote to memory of 1928 364 cmd.exe PING.EXE PID 364 wrote to memory of 1928 364 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe"C:\Users\Admin\AppData\Local\Temp\0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fccb57af98a215b4199619e572476166
SHA1177ed5ad1190702cf80e1881abbf9bd9abff5227
SHA256c18b02d55ca1a8419b2ba9a8ab0d505bf5c11121260fc26b8e6cac43c2a9583a
SHA51207177e5280161c7945a1c396d3059b7dfa3a26fc58881ff43364bb897e9d08521b02d7f7ddcd1074fb8b890ddb9c1cb33caf260aab4e119565fcf0d727ef1ff9
-
MD5
fccb57af98a215b4199619e572476166
SHA1177ed5ad1190702cf80e1881abbf9bd9abff5227
SHA256c18b02d55ca1a8419b2ba9a8ab0d505bf5c11121260fc26b8e6cac43c2a9583a
SHA51207177e5280161c7945a1c396d3059b7dfa3a26fc58881ff43364bb897e9d08521b02d7f7ddcd1074fb8b890ddb9c1cb33caf260aab4e119565fcf0d727ef1ff9
-
MD5
fccb57af98a215b4199619e572476166
SHA1177ed5ad1190702cf80e1881abbf9bd9abff5227
SHA256c18b02d55ca1a8419b2ba9a8ab0d505bf5c11121260fc26b8e6cac43c2a9583a
SHA51207177e5280161c7945a1c396d3059b7dfa3a26fc58881ff43364bb897e9d08521b02d7f7ddcd1074fb8b890ddb9c1cb33caf260aab4e119565fcf0d727ef1ff9