Analysis
-
max time kernel
143s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:05
Static task
static1
Behavioral task
behavioral1
Sample
0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe
Resource
win10v2004-en-20220112
General
-
Target
0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe
-
Size
60KB
-
MD5
9416ca8464293b6a748a137e68419cb6
-
SHA1
f9b05374c98d227894e35397935f56ecfed8eef6
-
SHA256
0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad
-
SHA512
21c49f33d38082118f0168905d2b3ca3299d236f2de6bb9610bde2c8d1c1e6a2578922c88029e0dd67750687852654f36d39ac35b96b44f3170d2fa9b75a9af0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exepid process 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exedescription pid process Token: SeIncBasePriorityPrivilege 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.execmd.exedescription pid process target process PID 288 wrote to memory of 1664 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe MediaCenter.exe PID 288 wrote to memory of 1976 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe cmd.exe PID 288 wrote to memory of 1976 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe cmd.exe PID 288 wrote to memory of 1976 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe cmd.exe PID 288 wrote to memory of 1976 288 0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe cmd.exe PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe"C:\Users\Admin\AppData\Local\Temp\0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bb39e349de4875bc298a7143ac75f3905d83c483bed774781e0f0e328583aad.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f9d5b06bae8bd339d8f7f1cb80502c5b
SHA14fff1648f9652fa3d65787d529eecf3339ca9809
SHA2565e6bbd8f622538bc05729c40c47149ff15ad1f502192101158f1f98fc0f6bcb5
SHA5125c6326aa9717718f50cda1a33963fce765eddf9b892ec0d469b29bc78d3f722598a596cc9e6c12c9d8bd11df6f3d1446ef28f35e4e1b44e795edc91a79c384a7
-
MD5
f9d5b06bae8bd339d8f7f1cb80502c5b
SHA14fff1648f9652fa3d65787d529eecf3339ca9809
SHA2565e6bbd8f622538bc05729c40c47149ff15ad1f502192101158f1f98fc0f6bcb5
SHA5125c6326aa9717718f50cda1a33963fce765eddf9b892ec0d469b29bc78d3f722598a596cc9e6c12c9d8bd11df6f3d1446ef28f35e4e1b44e795edc91a79c384a7
-
MD5
f9d5b06bae8bd339d8f7f1cb80502c5b
SHA14fff1648f9652fa3d65787d529eecf3339ca9809
SHA2565e6bbd8f622538bc05729c40c47149ff15ad1f502192101158f1f98fc0f6bcb5
SHA5125c6326aa9717718f50cda1a33963fce765eddf9b892ec0d469b29bc78d3f722598a596cc9e6c12c9d8bd11df6f3d1446ef28f35e4e1b44e795edc91a79c384a7