Analysis
-
max time kernel
144s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:28
Static task
static1
Behavioral task
behavioral1
Sample
0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe
Resource
win10v2004-en-20220113
General
-
Target
0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe
-
Size
60KB
-
MD5
4338e036c621d2632da45342118c53ef
-
SHA1
fca7ad48e699c36e624017e1eec2d92ae8ecfce2
-
SHA256
0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683
-
SHA512
4be469095d78a7e0134562e89ef3a4bc3de6e90d0adcebc94c6b4a42d8a557297035922dbe202b993b63682236c7601b9cae7e153ac2a0b0edcc100c539f3173
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1360 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1132 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exepid process 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.execmd.exedescription pid process target process PID 1728 wrote to memory of 1360 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe MediaCenter.exe PID 1728 wrote to memory of 1132 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe cmd.exe PID 1728 wrote to memory of 1132 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe cmd.exe PID 1728 wrote to memory of 1132 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe cmd.exe PID 1728 wrote to memory of 1132 1728 0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe cmd.exe PID 1132 wrote to memory of 1508 1132 cmd.exe PING.EXE PID 1132 wrote to memory of 1508 1132 cmd.exe PING.EXE PID 1132 wrote to memory of 1508 1132 cmd.exe PING.EXE PID 1132 wrote to memory of 1508 1132 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe"C:\Users\Admin\AppData\Local\Temp\0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b029f3025aeb0a732754dfeb88a1e40f263acc27b6c9f1c05ef557f7eaca683.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
95d6cc8a377ddf1494ac3128d955d4e4
SHA156f62e0ba17746294fa88f01e7ba5e374fdbf251
SHA2564f4193d734b0032f04fd12e4b2f92538ac6fa0edce8c0232386814675ca4718b
SHA512b35369ed54da7721e5f308a0162d431cc729d0ef2df73bb983096780457a5d82908d86f776896721870845eb45a6099e137549b6f25f2d9257d4d75d36608f10
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
95d6cc8a377ddf1494ac3128d955d4e4
SHA156f62e0ba17746294fa88f01e7ba5e374fdbf251
SHA2564f4193d734b0032f04fd12e4b2f92538ac6fa0edce8c0232386814675ca4718b
SHA512b35369ed54da7721e5f308a0162d431cc729d0ef2df73bb983096780457a5d82908d86f776896721870845eb45a6099e137549b6f25f2d9257d4d75d36608f10
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
95d6cc8a377ddf1494ac3128d955d4e4
SHA156f62e0ba17746294fa88f01e7ba5e374fdbf251
SHA2564f4193d734b0032f04fd12e4b2f92538ac6fa0edce8c0232386814675ca4718b
SHA512b35369ed54da7721e5f308a0162d431cc729d0ef2df73bb983096780457a5d82908d86f776896721870845eb45a6099e137549b6f25f2d9257d4d75d36608f10
-
memory/1728-55-0x0000000074F11000-0x0000000074F13000-memory.dmpFilesize
8KB