Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe
Resource
win10v2004-en-20220113
General
-
Target
0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe
-
Size
58KB
-
MD5
50560ff18bdbc2fbeb9a35ebedba76c3
-
SHA1
6297da7860019cfca492456a88084180f5c54d25
-
SHA256
0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b
-
SHA512
b7a179eb21e5a46684182b865507575efdcc24677439b5d4e730dadf51be6d804825b02e00548c945ab16812edb695ad0a8ddef0f96c42c9a14d1563efd65510
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2036 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1792 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exepid process 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exedescription pid process Token: SeIncBasePriorityPrivilege 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.execmd.exedescription pid process target process PID 1600 wrote to memory of 2036 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe MediaCenter.exe PID 1600 wrote to memory of 2036 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe MediaCenter.exe PID 1600 wrote to memory of 2036 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe MediaCenter.exe PID 1600 wrote to memory of 2036 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe MediaCenter.exe PID 1600 wrote to memory of 1792 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe cmd.exe PID 1600 wrote to memory of 1792 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe cmd.exe PID 1600 wrote to memory of 1792 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe cmd.exe PID 1600 wrote to memory of 1792 1600 0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe cmd.exe PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe"C:\Users\Admin\AppData\Local\Temp\0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bad9c0af6f1d508f4c238ff753434089b9e73fb1f913d775c7f609afd75458b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f4c811a3356bc1c2a2f3196fa87a42a5
SHA1d786eeea6c126a26c413b775ed7ce4eeebff1e25
SHA2568d72abb6c8f2b9852593fbc9d75d7f9809886b6049cb0d26bee8ad9fc1d6b00e
SHA512854837266acc8de2a3e15b046e7d6530798ae509bc085021a1240e9cfc513eb1eb32cd3068f1f7f5ba6fb4d6927fe86ba4e90a90b2c1d6b146a74a16b7ed1c35
-
MD5
f4c811a3356bc1c2a2f3196fa87a42a5
SHA1d786eeea6c126a26c413b775ed7ce4eeebff1e25
SHA2568d72abb6c8f2b9852593fbc9d75d7f9809886b6049cb0d26bee8ad9fc1d6b00e
SHA512854837266acc8de2a3e15b046e7d6530798ae509bc085021a1240e9cfc513eb1eb32cd3068f1f7f5ba6fb4d6927fe86ba4e90a90b2c1d6b146a74a16b7ed1c35
-
MD5
f4c811a3356bc1c2a2f3196fa87a42a5
SHA1d786eeea6c126a26c413b775ed7ce4eeebff1e25
SHA2568d72abb6c8f2b9852593fbc9d75d7f9809886b6049cb0d26bee8ad9fc1d6b00e
SHA512854837266acc8de2a3e15b046e7d6530798ae509bc085021a1240e9cfc513eb1eb32cd3068f1f7f5ba6fb4d6927fe86ba4e90a90b2c1d6b146a74a16b7ed1c35