Analysis
-
max time kernel
156s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:04
Static task
static1
Behavioral task
behavioral1
Sample
0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe
Resource
win10v2004-en-20220112
General
-
Target
0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe
-
Size
58KB
-
MD5
6da577b02be39236323b9fead20988a5
-
SHA1
02c96bc899eea650f625f1b98d81488378ea5a6f
-
SHA256
0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1
-
SHA512
d9ed60033233eef711fc089f9ff718cad59a7f66afb8fcdbaa81ad78115b3a47afada862d10e0649b4918d8725ff83dc4012d6083a495fdadb66029fd18a0110
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1156 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exepid process 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exedescription pid process Token: SeIncBasePriorityPrivilege 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.execmd.exedescription pid process target process PID 1688 wrote to memory of 1156 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe MediaCenter.exe PID 1688 wrote to memory of 1156 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe MediaCenter.exe PID 1688 wrote to memory of 1156 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe MediaCenter.exe PID 1688 wrote to memory of 1156 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe MediaCenter.exe PID 1688 wrote to memory of 1664 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe cmd.exe PID 1688 wrote to memory of 1664 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe cmd.exe PID 1688 wrote to memory of 1664 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe cmd.exe PID 1688 wrote to memory of 1664 1688 0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe cmd.exe PID 1664 wrote to memory of 1488 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1488 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1488 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1488 1664 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe"C:\Users\Admin\AppData\Local\Temp\0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bc1f71d0f71cc6b60d0bae745576eadd1043289e8f166e37b1aea72cb07c5d1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0e65a3b61261ac4203d03f854925225f
SHA13d6a3280a8ddb1bafc66c6b91fe98253aa354d00
SHA256a441ad52db563170097e34610a6c08cc435d8d332d1569456d3acdf2776e84ef
SHA512178ab1002d5cc332d0b08946a474326d60fa28e0def75302b64fab1e4f87b0616608178abc3c2298946b99f42e417be7f9cdcfc3c520042114b5088092b88279
-
MD5
0e65a3b61261ac4203d03f854925225f
SHA13d6a3280a8ddb1bafc66c6b91fe98253aa354d00
SHA256a441ad52db563170097e34610a6c08cc435d8d332d1569456d3acdf2776e84ef
SHA512178ab1002d5cc332d0b08946a474326d60fa28e0def75302b64fab1e4f87b0616608178abc3c2298946b99f42e417be7f9cdcfc3c520042114b5088092b88279
-
MD5
0e65a3b61261ac4203d03f854925225f
SHA13d6a3280a8ddb1bafc66c6b91fe98253aa354d00
SHA256a441ad52db563170097e34610a6c08cc435d8d332d1569456d3acdf2776e84ef
SHA512178ab1002d5cc332d0b08946a474326d60fa28e0def75302b64fab1e4f87b0616608178abc3c2298946b99f42e417be7f9cdcfc3c520042114b5088092b88279