Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe
Resource
win10v2004-en-20220113
General
-
Target
0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe
-
Size
36KB
-
MD5
de68443714daba954a2f34010e28d592
-
SHA1
72ba57dd556d444ae6bfab07063701ee7f44130a
-
SHA256
0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1
-
SHA512
50c22e58f35f9227c2d77848b01de9421567ae9ee19ebfd2a2531b5409f270b11735153d6da1197446b1f943e538130668979730e22aae758f9b5804df1ccc5b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 460 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exepid process 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exedescription pid process Token: SeIncBasePriorityPrivilege 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.execmd.exedescription pid process target process PID 1100 wrote to memory of 460 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe MediaCenter.exe PID 1100 wrote to memory of 1172 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe cmd.exe PID 1100 wrote to memory of 1172 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe cmd.exe PID 1100 wrote to memory of 1172 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe cmd.exe PID 1100 wrote to memory of 1172 1100 0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe cmd.exe PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe"C:\Users\Admin\AppData\Local\Temp\0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ba167b1187ad3ba1457061a9a06ec334b1eab22383755572bffa93a984683f1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c300237d34863a235a67ff91f28ab42e
SHA178bdccdc604b89955f3c36ded9793fc69d044d40
SHA256b7fffde81fbcfbd0596f20357ffc4041c98f86135be7493b953bf1405e00f4cd
SHA512627847e9d9f2782fb23060881261acb968f8a7884af8034b91e2c857c2530bcdc94230db5bcead183fbd34cf2b73bbf91a0ba947b6a3047ae0caa117d653ea9c
-
MD5
c300237d34863a235a67ff91f28ab42e
SHA178bdccdc604b89955f3c36ded9793fc69d044d40
SHA256b7fffde81fbcfbd0596f20357ffc4041c98f86135be7493b953bf1405e00f4cd
SHA512627847e9d9f2782fb23060881261acb968f8a7884af8034b91e2c857c2530bcdc94230db5bcead183fbd34cf2b73bbf91a0ba947b6a3047ae0caa117d653ea9c
-
MD5
c300237d34863a235a67ff91f28ab42e
SHA178bdccdc604b89955f3c36ded9793fc69d044d40
SHA256b7fffde81fbcfbd0596f20357ffc4041c98f86135be7493b953bf1405e00f4cd
SHA512627847e9d9f2782fb23060881261acb968f8a7884af8034b91e2c857c2530bcdc94230db5bcead183fbd34cf2b73bbf91a0ba947b6a3047ae0caa117d653ea9c