Analysis
-
max time kernel
148s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe
Resource
win10v2004-en-20220113
General
-
Target
0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe
-
Size
58KB
-
MD5
45e8ccc6cb073b06fd7cb2f27fc64d5e
-
SHA1
7b03013267186120b83c1ea9be02cabe1c6c9f2a
-
SHA256
0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7
-
SHA512
f528aacc3bfa666e82aa08105006714cbaa19510db1a70a573b75c2a2ac612e073d5d198d82d68ae682bc2867b02e86f224902db88d6470eb5423c10bd3b4175
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exepid process 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exedescription pid process Token: SeIncBasePriorityPrivilege 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.execmd.exedescription pid process target process PID 1620 wrote to memory of 1884 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe MediaCenter.exe PID 1620 wrote to memory of 820 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe cmd.exe PID 1620 wrote to memory of 820 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe cmd.exe PID 1620 wrote to memory of 820 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe cmd.exe PID 1620 wrote to memory of 820 1620 0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe cmd.exe PID 820 wrote to memory of 1608 820 cmd.exe PING.EXE PID 820 wrote to memory of 1608 820 cmd.exe PING.EXE PID 820 wrote to memory of 1608 820 cmd.exe PING.EXE PID 820 wrote to memory of 1608 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe"C:\Users\Admin\AppData\Local\Temp\0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bfdde875d0d15b21599bf64ba04a3ace45d9fac8d3df5705a5c67fa0028cbc7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dbdc4022f0d598865245ce7122f577ba
SHA1c654aa572fb4fcb3ccd3653fb8841ffee3d23638
SHA25689776c1aff707e7e39d34e3c60c48f41858ddb4f9a4990bd50526aae683303a8
SHA5120378d0d013b2988a020727cd5ea54fdabcce104054c9abcf1e2e7b8f1568e78677360d884e86a1593b8f6cd9f69a26fc8ac1e8e2491b1cbf1e6e2560ec7b3706
-
MD5
dbdc4022f0d598865245ce7122f577ba
SHA1c654aa572fb4fcb3ccd3653fb8841ffee3d23638
SHA25689776c1aff707e7e39d34e3c60c48f41858ddb4f9a4990bd50526aae683303a8
SHA5120378d0d013b2988a020727cd5ea54fdabcce104054c9abcf1e2e7b8f1568e78677360d884e86a1593b8f6cd9f69a26fc8ac1e8e2491b1cbf1e6e2560ec7b3706
-
MD5
dbdc4022f0d598865245ce7122f577ba
SHA1c654aa572fb4fcb3ccd3653fb8841ffee3d23638
SHA25689776c1aff707e7e39d34e3c60c48f41858ddb4f9a4990bd50526aae683303a8
SHA5120378d0d013b2988a020727cd5ea54fdabcce104054c9abcf1e2e7b8f1568e78677360d884e86a1593b8f6cd9f69a26fc8ac1e8e2491b1cbf1e6e2560ec7b3706