Analysis
-
max time kernel
154s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:37
Static task
static1
Behavioral task
behavioral1
Sample
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe
Resource
win10v2004-en-20220113
General
-
Target
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe
-
Size
60KB
-
MD5
51e81941183e19dcc34a5d2fa1aaa1b3
-
SHA1
835a0feab695aabef26e8f5d135c4faf3306c7bf
-
SHA256
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5
-
SHA512
26e6f86d199b231d0772ad0e619c173adfd2121356cc43bc50dda3206a759f4664a0486d3d00b0942df66f62330f36b8410d62164c3ab2ce41d1058f134d4cb0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1792 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1112 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exepid process 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exedescription pid process Token: SeIncBasePriorityPrivilege 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.execmd.exedescription pid process target process PID 1692 wrote to memory of 1792 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe MediaCenter.exe PID 1692 wrote to memory of 1792 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe MediaCenter.exe PID 1692 wrote to memory of 1792 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe MediaCenter.exe PID 1692 wrote to memory of 1792 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe MediaCenter.exe PID 1692 wrote to memory of 1112 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe cmd.exe PID 1692 wrote to memory of 1112 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe cmd.exe PID 1692 wrote to memory of 1112 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe cmd.exe PID 1692 wrote to memory of 1112 1692 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe cmd.exe PID 1112 wrote to memory of 1808 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 1808 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 1808 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 1808 1112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe"C:\Users\Admin\AppData\Local\Temp\0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2873338752188b57c269df071df9ea3b
SHA1a58f108c022176df5c4d7c7e0c41a1a573c4690e
SHA256cffd4d9803be1e13a7ebe79d3b739a850d4599eb0aa832c7d1ef96049befc2fc
SHA512ba60c932750eab5adb464c1dbf44947b930d25923686a2a80423d604d016de05681ed5aca79a7ed38d3225f2ed0da8814df80f3f05d8ccbd158c1a6279fc265d
-
MD5
2873338752188b57c269df071df9ea3b
SHA1a58f108c022176df5c4d7c7e0c41a1a573c4690e
SHA256cffd4d9803be1e13a7ebe79d3b739a850d4599eb0aa832c7d1ef96049befc2fc
SHA512ba60c932750eab5adb464c1dbf44947b930d25923686a2a80423d604d016de05681ed5aca79a7ed38d3225f2ed0da8814df80f3f05d8ccbd158c1a6279fc265d
-
MD5
2873338752188b57c269df071df9ea3b
SHA1a58f108c022176df5c4d7c7e0c41a1a573c4690e
SHA256cffd4d9803be1e13a7ebe79d3b739a850d4599eb0aa832c7d1ef96049befc2fc
SHA512ba60c932750eab5adb464c1dbf44947b930d25923686a2a80423d604d016de05681ed5aca79a7ed38d3225f2ed0da8814df80f3f05d8ccbd158c1a6279fc265d