Analysis
-
max time kernel
155s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe
Resource
win10v2004-en-20220112
General
-
Target
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe
-
Size
36KB
-
MD5
2706a0b0f974d72c6f3a0aef8ab2fe81
-
SHA1
396962f00f0e18b2a409e29f137cf05761ef4bea
-
SHA256
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f
-
SHA512
6a9f393e46bf3db237ead1cc4daeaffd5b1d21d3fcccaa9a4dfb6c670cf10c5f84b15d29e95334656cabc933585197e9f53020924ee4195d696bb648f081de28
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exepid process 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.execmd.exedescription pid process target process PID 1088 wrote to memory of 524 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe MediaCenter.exe PID 1088 wrote to memory of 524 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe MediaCenter.exe PID 1088 wrote to memory of 524 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe MediaCenter.exe PID 1088 wrote to memory of 524 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe MediaCenter.exe PID 1088 wrote to memory of 1100 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe cmd.exe PID 1088 wrote to memory of 1100 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe cmd.exe PID 1088 wrote to memory of 1100 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe cmd.exe PID 1088 wrote to memory of 1100 1088 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe cmd.exe PID 1100 wrote to memory of 1060 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1060 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1060 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1060 1100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe"C:\Users\Admin\AppData\Local\Temp\0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1f835da9c9710bb4bf608c4087e3a30f
SHA18bd7e4f474d602ec766cc6a9a304b0a8fb59cbfe
SHA25667d919f770ba26e676c3c0d61aeb65e1fe5c29f1b5b9592564386f803fa3411b
SHA512ce5e13555b92e77cb0ebc55fc27057617b1aae48482437f260f9b89f801ad8809d21728d2d93cad0dfb504c56d58b8b3a6605e8fc30294d280e9887a35a54cf6
-
MD5
1f835da9c9710bb4bf608c4087e3a30f
SHA18bd7e4f474d602ec766cc6a9a304b0a8fb59cbfe
SHA25667d919f770ba26e676c3c0d61aeb65e1fe5c29f1b5b9592564386f803fa3411b
SHA512ce5e13555b92e77cb0ebc55fc27057617b1aae48482437f260f9b89f801ad8809d21728d2d93cad0dfb504c56d58b8b3a6605e8fc30294d280e9887a35a54cf6
-
MD5
1f835da9c9710bb4bf608c4087e3a30f
SHA18bd7e4f474d602ec766cc6a9a304b0a8fb59cbfe
SHA25667d919f770ba26e676c3c0d61aeb65e1fe5c29f1b5b9592564386f803fa3411b
SHA512ce5e13555b92e77cb0ebc55fc27057617b1aae48482437f260f9b89f801ad8809d21728d2d93cad0dfb504c56d58b8b3a6605e8fc30294d280e9887a35a54cf6