Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:28
Static task
static1
Behavioral task
behavioral1
Sample
179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe
Resource
win10v2004-en-20220112
General
-
Target
179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe
-
Size
58KB
-
MD5
67c066c2ddb9d397d78a1950e2e00665
-
SHA1
465387fc645498f241f4299b3814971efced1356
-
SHA256
179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6
-
SHA512
142e88c1712386a2f03a7ee669d423aeeb3e84dab2fd266378b9d5deef66d237df684af720dd4248d5165d5a5b96f525b483da9af2e0b3bc30b48ac0d79f24a8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exepid process 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exedescription pid process Token: SeIncBasePriorityPrivilege 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.execmd.exedescription pid process target process PID 600 wrote to memory of 1592 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe MediaCenter.exe PID 600 wrote to memory of 1592 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe MediaCenter.exe PID 600 wrote to memory of 1592 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe MediaCenter.exe PID 600 wrote to memory of 1592 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe MediaCenter.exe PID 600 wrote to memory of 432 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe cmd.exe PID 600 wrote to memory of 432 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe cmd.exe PID 600 wrote to memory of 432 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe cmd.exe PID 600 wrote to memory of 432 600 179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe cmd.exe PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE PID 432 wrote to memory of 1796 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe"C:\Users\Admin\AppData\Local\Temp\179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179039fdeee5bfa22e35e53e3a81fd4599f8de237a43760fdd78cc149f823ac6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f240e75fa854ca3e8f88934d8b560023
SHA13ee4cb2783a10ffed26eee5f10da205723d2542e
SHA256583f7928530366b88c7e1582499d517123c74ee82eb7da995c8c9351d7069219
SHA5128f0b0c5ea0866891e65da154432defab8c4ec4883c7bacba36a257be78fe8e0aa883727e370c8976ebae75abf8865d8cde59ebf6c7dfb5aed552da7ddaee97b0
-
MD5
f240e75fa854ca3e8f88934d8b560023
SHA13ee4cb2783a10ffed26eee5f10da205723d2542e
SHA256583f7928530366b88c7e1582499d517123c74ee82eb7da995c8c9351d7069219
SHA5128f0b0c5ea0866891e65da154432defab8c4ec4883c7bacba36a257be78fe8e0aa883727e370c8976ebae75abf8865d8cde59ebf6c7dfb5aed552da7ddaee97b0
-
MD5
f240e75fa854ca3e8f88934d8b560023
SHA13ee4cb2783a10ffed26eee5f10da205723d2542e
SHA256583f7928530366b88c7e1582499d517123c74ee82eb7da995c8c9351d7069219
SHA5128f0b0c5ea0866891e65da154432defab8c4ec4883c7bacba36a257be78fe8e0aa883727e370c8976ebae75abf8865d8cde59ebf6c7dfb5aed552da7ddaee97b0