Analysis
-
max time kernel
149s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:10
Static task
static1
Behavioral task
behavioral1
Sample
0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe
Resource
win10v2004-en-20220113
General
-
Target
0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe
-
Size
58KB
-
MD5
038cb34359f23bc2cd33f0110bf94510
-
SHA1
64b87339551d1f40f6f244b43c0a9b4be7f9d044
-
SHA256
0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3
-
SHA512
685291aaab1f49ab286521d1cddacad79bb540c522f2c8aaaa92c709a76860d0a8c50d7acefb98a5ed405356433d93ca29cea4165b74ccb274d051776e01e38e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1752 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2040 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exepid process 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.execmd.exedescription pid process target process PID 952 wrote to memory of 1752 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe MediaCenter.exe PID 952 wrote to memory of 2040 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe cmd.exe PID 952 wrote to memory of 2040 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe cmd.exe PID 952 wrote to memory of 2040 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe cmd.exe PID 952 wrote to memory of 2040 952 0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe cmd.exe PID 2040 wrote to memory of 1320 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1320 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1320 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1320 2040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe"C:\Users\Admin\AppData\Local\Temp\0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e5965850ebc4c0817a266346f0ba6a116b0aba84ea199d6b99a1db660efe8f3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b07a03a03ff4e81e2932b143c4ba5640
SHA121ccab9cd9853531758b4f334c672544a9578d67
SHA256dda447f4d0ff28cb90be58c38f4cd483871bd17caef6bc66effde4ef8c5ba7d7
SHA512bd54f2635ba3324388dda4f062dd9b501405aa4d2fb6fcfb22f9a813ff7661dde6910ebcc7275e9618b75a4f308e76bf0064c9bb5a3096d12f5236e29979fceb
-
MD5
b07a03a03ff4e81e2932b143c4ba5640
SHA121ccab9cd9853531758b4f334c672544a9578d67
SHA256dda447f4d0ff28cb90be58c38f4cd483871bd17caef6bc66effde4ef8c5ba7d7
SHA512bd54f2635ba3324388dda4f062dd9b501405aa4d2fb6fcfb22f9a813ff7661dde6910ebcc7275e9618b75a4f308e76bf0064c9bb5a3096d12f5236e29979fceb
-
MD5
b07a03a03ff4e81e2932b143c4ba5640
SHA121ccab9cd9853531758b4f334c672544a9578d67
SHA256dda447f4d0ff28cb90be58c38f4cd483871bd17caef6bc66effde4ef8c5ba7d7
SHA512bd54f2635ba3324388dda4f062dd9b501405aa4d2fb6fcfb22f9a813ff7661dde6910ebcc7275e9618b75a4f308e76bf0064c9bb5a3096d12f5236e29979fceb