Analysis
-
max time kernel
129s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:20
Static task
static1
Behavioral task
behavioral1
Sample
0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe
Resource
win10v2004-en-20220113
General
-
Target
0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe
-
Size
58KB
-
MD5
5f077d4325d9f33e5ec09b6c8807f900
-
SHA1
52f84fc0ccda3229f6153d3af8aafe4cd5704e23
-
SHA256
0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79
-
SHA512
dfd874e1f72a54c35bd9e4c127f714ad6fca253af3d597b55e076fd83b02eb79fab4a143d1259c9ccf54c50e5c2fb01c6b94d25f7bdf8210af9373d0accf372a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1368 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1156 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exepid process 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.execmd.exedescription pid process target process PID 1728 wrote to memory of 1368 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe MediaCenter.exe PID 1728 wrote to memory of 1368 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe MediaCenter.exe PID 1728 wrote to memory of 1368 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe MediaCenter.exe PID 1728 wrote to memory of 1368 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe MediaCenter.exe PID 1728 wrote to memory of 1156 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe cmd.exe PID 1728 wrote to memory of 1156 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe cmd.exe PID 1728 wrote to memory of 1156 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe cmd.exe PID 1728 wrote to memory of 1156 1728 0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe cmd.exe PID 1156 wrote to memory of 1768 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1768 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1768 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1768 1156 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe"C:\Users\Admin\AppData\Local\Temp\0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b430aa41c778be1370f3ba4974353ceaebfc9d2e628ffafd64e83c3c89d4a79.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b7f6ec028dcef65239e26e2c5dc735c7
SHA17e63ab4dbfc4e64ee0674ad35dc1d476aab5eb38
SHA2564aed3e3fb936d7bdbe9256eed497c181f2af76e4732bf83de5fa95d212a46124
SHA51288fa11b2ca682e50aa59e4542bddef42d611ef4d77122bcec16fad6acdbca9c1dd98560e958daa1f8530a2ad4b724fd8347ef3672f8bf4f12c9983a27277a70e
-
MD5
b7f6ec028dcef65239e26e2c5dc735c7
SHA17e63ab4dbfc4e64ee0674ad35dc1d476aab5eb38
SHA2564aed3e3fb936d7bdbe9256eed497c181f2af76e4732bf83de5fa95d212a46124
SHA51288fa11b2ca682e50aa59e4542bddef42d611ef4d77122bcec16fad6acdbca9c1dd98560e958daa1f8530a2ad4b724fd8347ef3672f8bf4f12c9983a27277a70e
-
MD5
b7f6ec028dcef65239e26e2c5dc735c7
SHA17e63ab4dbfc4e64ee0674ad35dc1d476aab5eb38
SHA2564aed3e3fb936d7bdbe9256eed497c181f2af76e4732bf83de5fa95d212a46124
SHA51288fa11b2ca682e50aa59e4542bddef42d611ef4d77122bcec16fad6acdbca9c1dd98560e958daa1f8530a2ad4b724fd8347ef3672f8bf4f12c9983a27277a70e