Analysis
-
max time kernel
144s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe
Resource
win10v2004-en-20220113
General
-
Target
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe
-
Size
35KB
-
MD5
d2fde83fbe3ac5c848ccd16046492b0a
-
SHA1
5f8f9d67530d54cb6471f2815b54b9c5eb56394c
-
SHA256
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415
-
SHA512
6c1b016819636c4ef3cd0df0319675f04e633097881cb44f3e87610d9f1051e5cce5e3517c6fafca2cd7c9aa12d6bbf0fdf07dd6e5ad316c96e004ca4bb06cbc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 672 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exepid process 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.execmd.exedescription pid process target process PID 1568 wrote to memory of 1608 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe MediaCenter.exe PID 1568 wrote to memory of 1608 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe MediaCenter.exe PID 1568 wrote to memory of 1608 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe MediaCenter.exe PID 1568 wrote to memory of 1608 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe MediaCenter.exe PID 1568 wrote to memory of 672 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe cmd.exe PID 1568 wrote to memory of 672 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe cmd.exe PID 1568 wrote to memory of 672 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe cmd.exe PID 1568 wrote to memory of 672 1568 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe cmd.exe PID 672 wrote to memory of 972 672 cmd.exe PING.EXE PID 672 wrote to memory of 972 672 cmd.exe PING.EXE PID 672 wrote to memory of 972 672 cmd.exe PING.EXE PID 672 wrote to memory of 972 672 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe"C:\Users\Admin\AppData\Local\Temp\0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cf726e4bdd8995faf1d1955888c598e9
SHA1e773e42066d02c0b29214e6f3149c2422bf5ba06
SHA25635c052a85fdac791ec340a6273bb90a51d98ec663d7c51a9915396b41eb732fa
SHA51255aadd16808ca4df6d3e99ba63523c98f5f3a13062d383423edc89b9a78c7ce33661336a9f6535d8cdf38bb8c1f03797f9bddf8fb7c1284950e7be00ee61a440
-
MD5
cf726e4bdd8995faf1d1955888c598e9
SHA1e773e42066d02c0b29214e6f3149c2422bf5ba06
SHA25635c052a85fdac791ec340a6273bb90a51d98ec663d7c51a9915396b41eb732fa
SHA51255aadd16808ca4df6d3e99ba63523c98f5f3a13062d383423edc89b9a78c7ce33661336a9f6535d8cdf38bb8c1f03797f9bddf8fb7c1284950e7be00ee61a440
-
MD5
cf726e4bdd8995faf1d1955888c598e9
SHA1e773e42066d02c0b29214e6f3149c2422bf5ba06
SHA25635c052a85fdac791ec340a6273bb90a51d98ec663d7c51a9915396b41eb732fa
SHA51255aadd16808ca4df6d3e99ba63523c98f5f3a13062d383423edc89b9a78c7ce33661336a9f6535d8cdf38bb8c1f03797f9bddf8fb7c1284950e7be00ee61a440