Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:23
Static task
static1
Behavioral task
behavioral1
Sample
0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe
Resource
win10v2004-en-20220112
General
-
Target
0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe
-
Size
58KB
-
MD5
190db05f58c31ff8db023c7af813051c
-
SHA1
3bf272baaf7d4cca50fad54d38c379bc99aeffc6
-
SHA256
0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1
-
SHA512
7906bef687d11e3440e0ef84bf4b6a86cd8ddf3ab00fcddf881b0b881fa1823af7ef45f7d34f94b239f68e76412cb5ad12f408a7e38c77ed6b6cfc8642a08cd9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exepid process 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exedescription pid process Token: SeIncBasePriorityPrivilege 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.execmd.exedescription pid process target process PID 1128 wrote to memory of 1540 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe MediaCenter.exe PID 1128 wrote to memory of 776 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe cmd.exe PID 1128 wrote to memory of 776 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe cmd.exe PID 1128 wrote to memory of 776 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe cmd.exe PID 1128 wrote to memory of 776 1128 0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe cmd.exe PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe"C:\Users\Admin\AppData\Local\Temp\0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b29ab338bdfff9ba17373f4f99f5abaeef515d43d66424fa462d6f8147eb4b1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0ce4453b6db97bc4279339f42a64a2bf
SHA191cc8d7f1db1aa4f2cba8e86ddeb893020fa2cd2
SHA2566f6081034a0067b03ede82707c43373fe558ad62e16e4ccc7fd1a6e00094bbb1
SHA51240b33bc7f7eb0039f6c71a745b5da3cfaf3b49126ff6490aae2c7c129102913079b2a57a2cde872829061a9784d6752d50a4611f9c5f5e608de892dca663760a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0ce4453b6db97bc4279339f42a64a2bf
SHA191cc8d7f1db1aa4f2cba8e86ddeb893020fa2cd2
SHA2566f6081034a0067b03ede82707c43373fe558ad62e16e4ccc7fd1a6e00094bbb1
SHA51240b33bc7f7eb0039f6c71a745b5da3cfaf3b49126ff6490aae2c7c129102913079b2a57a2cde872829061a9784d6752d50a4611f9c5f5e608de892dca663760a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0ce4453b6db97bc4279339f42a64a2bf
SHA191cc8d7f1db1aa4f2cba8e86ddeb893020fa2cd2
SHA2566f6081034a0067b03ede82707c43373fe558ad62e16e4ccc7fd1a6e00094bbb1
SHA51240b33bc7f7eb0039f6c71a745b5da3cfaf3b49126ff6490aae2c7c129102913079b2a57a2cde872829061a9784d6752d50a4611f9c5f5e608de892dca663760a
-
memory/1128-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB