Analysis
-
max time kernel
126s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:26
Static task
static1
Behavioral task
behavioral1
Sample
0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe
Resource
win10v2004-en-20220112
General
-
Target
0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe
-
Size
36KB
-
MD5
3093ab14413fe8c4fff07cefa606ee60
-
SHA1
e737188fbbd11fc11d6c7bc61946115db28dc72c
-
SHA256
0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0
-
SHA512
8f98886f38c8101700727ded5009799a7c99277dc053cddf8323fd8f41baa25edb4c69c86f589ce21a4f13722ab58634e722b398be5607d668e0d7750f25a17e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 756 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exepid process 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exedescription pid process Token: SeIncBasePriorityPrivilege 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.execmd.exedescription pid process target process PID 1752 wrote to memory of 1616 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe MediaCenter.exe PID 1752 wrote to memory of 756 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe cmd.exe PID 1752 wrote to memory of 756 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe cmd.exe PID 1752 wrote to memory of 756 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe cmd.exe PID 1752 wrote to memory of 756 1752 0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe cmd.exe PID 756 wrote to memory of 1640 756 cmd.exe PING.EXE PID 756 wrote to memory of 1640 756 cmd.exe PING.EXE PID 756 wrote to memory of 1640 756 cmd.exe PING.EXE PID 756 wrote to memory of 1640 756 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe"C:\Users\Admin\AppData\Local\Temp\0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b08fb812a39ec9ece2c5726a11978f36e6ef7af1ca892c6361a24473894daf0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1d1a588412679573312f2234aa4f56cb
SHA13c04c7b0f380adcb30282be3b6780c0c081cfe06
SHA2560179d25046691d409fc8b8a3a1c83b85a661cfcd3dc3c1f17a4d1ae6e1bc51c4
SHA5127d1505c91974874e39f4b526f33d80be93f4950633bad3503bcde222c8f4b69a8eec370856c8fe3d749a7199892ceb56d42552ef7cc8db3e7b23f315298c0653
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1d1a588412679573312f2234aa4f56cb
SHA13c04c7b0f380adcb30282be3b6780c0c081cfe06
SHA2560179d25046691d409fc8b8a3a1c83b85a661cfcd3dc3c1f17a4d1ae6e1bc51c4
SHA5127d1505c91974874e39f4b526f33d80be93f4950633bad3503bcde222c8f4b69a8eec370856c8fe3d749a7199892ceb56d42552ef7cc8db3e7b23f315298c0653
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1d1a588412679573312f2234aa4f56cb
SHA13c04c7b0f380adcb30282be3b6780c0c081cfe06
SHA2560179d25046691d409fc8b8a3a1c83b85a661cfcd3dc3c1f17a4d1ae6e1bc51c4
SHA5127d1505c91974874e39f4b526f33d80be93f4950633bad3503bcde222c8f4b69a8eec370856c8fe3d749a7199892ceb56d42552ef7cc8db3e7b23f315298c0653
-
memory/1752-55-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB