Analysis
-
max time kernel
140s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:32
Static task
static1
Behavioral task
behavioral1
Sample
0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe
Resource
win10v2004-en-20220112
General
-
Target
0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe
-
Size
35KB
-
MD5
f327f74788dced39738c2e32323e3eb8
-
SHA1
4747ba1a38d412625abcf95ad83ba943a708e639
-
SHA256
0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1
-
SHA512
6be50d1622096c60594b3dafb794ec61fbc8c8740c04c5f23f3887ba4cbfa6a774d35c086bb5a55b5097250bc9692b8e989a2b8f72b26dc7e1bb456fe21873a9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2028 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 788 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exepid process 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exedescription pid process Token: SeIncBasePriorityPrivilege 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.execmd.exedescription pid process target process PID 1540 wrote to memory of 2028 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe MediaCenter.exe PID 1540 wrote to memory of 2028 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe MediaCenter.exe PID 1540 wrote to memory of 2028 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe MediaCenter.exe PID 1540 wrote to memory of 2028 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe MediaCenter.exe PID 1540 wrote to memory of 788 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe cmd.exe PID 1540 wrote to memory of 788 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe cmd.exe PID 1540 wrote to memory of 788 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe cmd.exe PID 1540 wrote to memory of 788 1540 0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe cmd.exe PID 788 wrote to memory of 796 788 cmd.exe PING.EXE PID 788 wrote to memory of 796 788 cmd.exe PING.EXE PID 788 wrote to memory of 796 788 cmd.exe PING.EXE PID 788 wrote to memory of 796 788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe"C:\Users\Admin\AppData\Local\Temp\0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fbb4a7d11fb3c548cf1e41f615128ba940ab163b4d327589b074be59651cce1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
200c94807aba78381757a78ab5d09189
SHA1e7935f043b466a0dcb207247f6e3346b33ab92b8
SHA2562b1725f052d61208c7ec8f8c554fd81cd0a2d417e3b6e31089b925b225b69c56
SHA512606243c96f467c29a1ba89ac8a79205c8705316478777cc4bb2308d786d6857f846173c02d6c7aa3c719c27fd75c6a5380de487a1e068f266af29c5306024ee4
-
MD5
200c94807aba78381757a78ab5d09189
SHA1e7935f043b466a0dcb207247f6e3346b33ab92b8
SHA2562b1725f052d61208c7ec8f8c554fd81cd0a2d417e3b6e31089b925b225b69c56
SHA512606243c96f467c29a1ba89ac8a79205c8705316478777cc4bb2308d786d6857f846173c02d6c7aa3c719c27fd75c6a5380de487a1e068f266af29c5306024ee4
-
MD5
200c94807aba78381757a78ab5d09189
SHA1e7935f043b466a0dcb207247f6e3346b33ab92b8
SHA2562b1725f052d61208c7ec8f8c554fd81cd0a2d417e3b6e31089b925b225b69c56
SHA512606243c96f467c29a1ba89ac8a79205c8705316478777cc4bb2308d786d6857f846173c02d6c7aa3c719c27fd75c6a5380de487a1e068f266af29c5306024ee4