Analysis
-
max time kernel
155s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:09
Static task
static1
Behavioral task
behavioral1
Sample
0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe
Resource
win10v2004-en-20220113
General
-
Target
0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe
-
Size
60KB
-
MD5
f26ca365fda9944bda68f1c88431ac26
-
SHA1
3e755ad3d1ef6589274e7ef64b0666ad640782a2
-
SHA256
0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614
-
SHA512
c8aad45c45889f283678659dbf7ab257e47d08dd5d88da5286f9cff8c3486bdd2facee4205f27e6868862fd2b8d381520191f3bfa2c8ebb6f436fb62ad62a941
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 788 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 420 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exepid process 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exedescription pid process Token: SeIncBasePriorityPrivilege 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.execmd.exedescription pid process target process PID 736 wrote to memory of 788 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe MediaCenter.exe PID 736 wrote to memory of 788 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe MediaCenter.exe PID 736 wrote to memory of 788 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe MediaCenter.exe PID 736 wrote to memory of 788 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe MediaCenter.exe PID 736 wrote to memory of 420 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe cmd.exe PID 736 wrote to memory of 420 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe cmd.exe PID 736 wrote to memory of 420 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe cmd.exe PID 736 wrote to memory of 420 736 0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe cmd.exe PID 420 wrote to memory of 1656 420 cmd.exe PING.EXE PID 420 wrote to memory of 1656 420 cmd.exe PING.EXE PID 420 wrote to memory of 1656 420 cmd.exe PING.EXE PID 420 wrote to memory of 1656 420 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe"C:\Users\Admin\AppData\Local\Temp\0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b980903ea44bd4841cffd619cb6f740b2c0ddbd4a4dfda4a94cce2dd9875614.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0097fd79aa838d979365f294d2fa0535
SHA1fb14787a23c8b746c984f5a16c351ca6a89218ba
SHA2561a42b916c683da9bc263cf25c30212cb635779bcbfb65362bf64e02db3afa855
SHA51249be7a7c29e6ba2c5005929227594006c5d830377af8092075f2af640b80a9e25fd845ecdf9a3683071089621d60909c3624a06a34c04bb3145e558f88ed4ae5
-
MD5
0097fd79aa838d979365f294d2fa0535
SHA1fb14787a23c8b746c984f5a16c351ca6a89218ba
SHA2561a42b916c683da9bc263cf25c30212cb635779bcbfb65362bf64e02db3afa855
SHA51249be7a7c29e6ba2c5005929227594006c5d830377af8092075f2af640b80a9e25fd845ecdf9a3683071089621d60909c3624a06a34c04bb3145e558f88ed4ae5
-
MD5
0097fd79aa838d979365f294d2fa0535
SHA1fb14787a23c8b746c984f5a16c351ca6a89218ba
SHA2561a42b916c683da9bc263cf25c30212cb635779bcbfb65362bf64e02db3afa855
SHA51249be7a7c29e6ba2c5005929227594006c5d830377af8092075f2af640b80a9e25fd845ecdf9a3683071089621d60909c3624a06a34c04bb3145e558f88ed4ae5