Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:22
Static task
static1
Behavioral task
behavioral1
Sample
0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe
Resource
win10v2004-en-20220113
General
-
Target
0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe
-
Size
60KB
-
MD5
d6f30d6c48adddc5de97b7df6fa47967
-
SHA1
264d96b72222b50754f38791aa4382ad10595565
-
SHA256
0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6
-
SHA512
e9f381fb385b507bc71c437c94f4e242bac92ee657096a3b657cf4c43b7a7344ac1a79fb425d2eec3b24b4611a5b792623db33eb59b481333f10ac9f7792768d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1760 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 440 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exepid process 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.execmd.exedescription pid process target process PID 1088 wrote to memory of 1760 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe MediaCenter.exe PID 1088 wrote to memory of 440 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe cmd.exe PID 1088 wrote to memory of 440 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe cmd.exe PID 1088 wrote to memory of 440 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe cmd.exe PID 1088 wrote to memory of 440 1088 0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe cmd.exe PID 440 wrote to memory of 1976 440 cmd.exe PING.EXE PID 440 wrote to memory of 1976 440 cmd.exe PING.EXE PID 440 wrote to memory of 1976 440 cmd.exe PING.EXE PID 440 wrote to memory of 1976 440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe"C:\Users\Admin\AppData\Local\Temp\0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b32a73c6cb3e28531c22fb8da3c468283d098479e543b48dad43b09b1cef9b6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1e70b600e2b98a16521ba9dddd4a0a4b
SHA1b1f151888485d7fed35c6aa8dd9a29b0489c4561
SHA2567e87849e52482208d4f3c1704ff3ff4159857a220f891f227530c6e5f1dce031
SHA51278c809cb1cb05f5ba2f84bed63ad465593b02710cb7eb99e7d8e4327365d873d45875f59ab67e62c36aeef2d5d807cbdccd578e5aabfc7ceb51753038db80a55
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1e70b600e2b98a16521ba9dddd4a0a4b
SHA1b1f151888485d7fed35c6aa8dd9a29b0489c4561
SHA2567e87849e52482208d4f3c1704ff3ff4159857a220f891f227530c6e5f1dce031
SHA51278c809cb1cb05f5ba2f84bed63ad465593b02710cb7eb99e7d8e4327365d873d45875f59ab67e62c36aeef2d5d807cbdccd578e5aabfc7ceb51753038db80a55
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1e70b600e2b98a16521ba9dddd4a0a4b
SHA1b1f151888485d7fed35c6aa8dd9a29b0489c4561
SHA2567e87849e52482208d4f3c1704ff3ff4159857a220f891f227530c6e5f1dce031
SHA51278c809cb1cb05f5ba2f84bed63ad465593b02710cb7eb99e7d8e4327365d873d45875f59ab67e62c36aeef2d5d807cbdccd578e5aabfc7ceb51753038db80a55
-
memory/1088-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB