Analysis
-
max time kernel
152s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe
Resource
win10v2004-en-20220112
General
-
Target
0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe
-
Size
60KB
-
MD5
992ec461c3d0b33ca2524f9ec9b2c6b7
-
SHA1
212df6af809a06f1f97bf0d33a1287375b46221b
-
SHA256
0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca
-
SHA512
1f8168b34cdacd5216a21e1e5d88fcc934702b460a5e0663c08076c575663298b0e6ab08659301e7fb1231d15f98b6729150b7019e455fb639a65c2f602c8e60
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 680 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1808 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exepid process 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exedescription pid process Token: SeIncBasePriorityPrivilege 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.execmd.exedescription pid process target process PID 1084 wrote to memory of 680 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe MediaCenter.exe PID 1084 wrote to memory of 680 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe MediaCenter.exe PID 1084 wrote to memory of 680 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe MediaCenter.exe PID 1084 wrote to memory of 680 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe MediaCenter.exe PID 1084 wrote to memory of 1808 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe cmd.exe PID 1084 wrote to memory of 1808 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe cmd.exe PID 1084 wrote to memory of 1808 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe cmd.exe PID 1084 wrote to memory of 1808 1084 0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe cmd.exe PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe"C:\Users\Admin\AppData\Local\Temp\0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bb14972e8a9bffd5b99a46bc78be0f4c7ad281250a17d2e12f1adb8bfb7b2ca.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1ff296358376bd5bf3af68601592432a
SHA195be3e7731b23f15f5934f62bb61ddd797b5622c
SHA2562cba618b595479a4f84feb036b0197cc91be334179494de64354cc407d7cf7c2
SHA51214ded02bc61b431344f4050706cdc2dfa9dc84b7b5336e9c1a467b1ea3c052c142fae347f16fc02db1dde08c5fe871a5c1224d1bfb45151f882d79ba9ff76c40
-
MD5
1ff296358376bd5bf3af68601592432a
SHA195be3e7731b23f15f5934f62bb61ddd797b5622c
SHA2562cba618b595479a4f84feb036b0197cc91be334179494de64354cc407d7cf7c2
SHA51214ded02bc61b431344f4050706cdc2dfa9dc84b7b5336e9c1a467b1ea3c052c142fae347f16fc02db1dde08c5fe871a5c1224d1bfb45151f882d79ba9ff76c40
-
MD5
1ff296358376bd5bf3af68601592432a
SHA195be3e7731b23f15f5934f62bb61ddd797b5622c
SHA2562cba618b595479a4f84feb036b0197cc91be334179494de64354cc407d7cf7c2
SHA51214ded02bc61b431344f4050706cdc2dfa9dc84b7b5336e9c1a467b1ea3c052c142fae347f16fc02db1dde08c5fe871a5c1224d1bfb45151f882d79ba9ff76c40