Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe
Resource
win10v2004-en-20220112
General
-
Target
0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe
-
Size
60KB
-
MD5
476e22009f28d2d531d13d4fa12efa59
-
SHA1
c15681556068a4c42081f08a50b52cca5a164ddc
-
SHA256
0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e
-
SHA512
5e032487f51dd016e6b50998c464bea06b581ea006de2eb57d715b2a358d6e0980cc740db191a8621daee53b4ffd0d352f847b0cad5a5fd317e2ed1820f9f477
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1568 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1780 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exepid process 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exedescription pid process Token: SeIncBasePriorityPrivilege 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.execmd.exedescription pid process target process PID 804 wrote to memory of 1568 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe MediaCenter.exe PID 804 wrote to memory of 1568 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe MediaCenter.exe PID 804 wrote to memory of 1568 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe MediaCenter.exe PID 804 wrote to memory of 1568 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe MediaCenter.exe PID 804 wrote to memory of 1780 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe cmd.exe PID 804 wrote to memory of 1780 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe cmd.exe PID 804 wrote to memory of 1780 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe cmd.exe PID 804 wrote to memory of 1780 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe cmd.exe PID 1780 wrote to memory of 672 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 672 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 672 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 672 1780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe"C:\Users\Admin\AppData\Local\Temp\0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6c035f82d9f2f90c2f718891926fccef
SHA10f52ee711741c32f857b591e273e7003f0f3a784
SHA256f35a55d7785183af46a07b8f7b175276ed3d4407f4ed000a5ca602b59edd2427
SHA512f36998f9479ad121b0f933aed2d1f7bc0efa0192457ecb53ec1c168459c3f500dd51918cbda455dea36059ae1ce4b76d497bf0d02e8f3cb02d3cbf92f5b3d7a5
-
MD5
6c035f82d9f2f90c2f718891926fccef
SHA10f52ee711741c32f857b591e273e7003f0f3a784
SHA256f35a55d7785183af46a07b8f7b175276ed3d4407f4ed000a5ca602b59edd2427
SHA512f36998f9479ad121b0f933aed2d1f7bc0efa0192457ecb53ec1c168459c3f500dd51918cbda455dea36059ae1ce4b76d497bf0d02e8f3cb02d3cbf92f5b3d7a5
-
MD5
6c035f82d9f2f90c2f718891926fccef
SHA10f52ee711741c32f857b591e273e7003f0f3a784
SHA256f35a55d7785183af46a07b8f7b175276ed3d4407f4ed000a5ca602b59edd2427
SHA512f36998f9479ad121b0f933aed2d1f7bc0efa0192457ecb53ec1c168459c3f500dd51918cbda455dea36059ae1ce4b76d497bf0d02e8f3cb02d3cbf92f5b3d7a5