Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe
Resource
win10v2004-en-20220112
General
-
Target
0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe
-
Size
36KB
-
MD5
1eb56daedbd0678c9c1fe323aff36ee2
-
SHA1
3406785deee9a66a76dd7358c952fb0b44dc4c0e
-
SHA256
0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26
-
SHA512
7582d5723fdc808f2346148d6f87faa8c55d6aee63fbe66b76d7b5cd468bedb84901f203d8017289cbe36b5a4a0f9a3063c1c473e83e19ba838ed2ed98bff712
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1864 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1992 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exepid process 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.execmd.exedescription pid process target process PID 952 wrote to memory of 1864 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe MediaCenter.exe PID 952 wrote to memory of 1992 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe cmd.exe PID 952 wrote to memory of 1992 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe cmd.exe PID 952 wrote to memory of 1992 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe cmd.exe PID 952 wrote to memory of 1992 952 0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe cmd.exe PID 1992 wrote to memory of 1984 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1984 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1984 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1984 1992 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe"C:\Users\Admin\AppData\Local\Temp\0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ba3737088544219ea9dd33842fe14f470789da07f6ed6f3877cb7171cb75a26.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4948c9e148fcc9bab0f92311bb3bd1ff
SHA146ac2bdeb38f61e39e684964422cd281a0e13cc6
SHA256a0fd6ec4ed81f6d3cbf037fdf8930c3a6ad3f2e89eaf0d8ed3b136229cb823b7
SHA5123e0c7ccb062d4368d75b5c08dca70bde5138bed3d068bbda83bfe2e353e0eea0ab2860f67deb07b17575f9725fcb90821212e597863788a14a3ad98aabbf8b22
-
MD5
4948c9e148fcc9bab0f92311bb3bd1ff
SHA146ac2bdeb38f61e39e684964422cd281a0e13cc6
SHA256a0fd6ec4ed81f6d3cbf037fdf8930c3a6ad3f2e89eaf0d8ed3b136229cb823b7
SHA5123e0c7ccb062d4368d75b5c08dca70bde5138bed3d068bbda83bfe2e353e0eea0ab2860f67deb07b17575f9725fcb90821212e597863788a14a3ad98aabbf8b22
-
MD5
4948c9e148fcc9bab0f92311bb3bd1ff
SHA146ac2bdeb38f61e39e684964422cd281a0e13cc6
SHA256a0fd6ec4ed81f6d3cbf037fdf8930c3a6ad3f2e89eaf0d8ed3b136229cb823b7
SHA5123e0c7ccb062d4368d75b5c08dca70bde5138bed3d068bbda83bfe2e353e0eea0ab2860f67deb07b17575f9725fcb90821212e597863788a14a3ad98aabbf8b22