Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:31
Static task
static1
Behavioral task
behavioral1
Sample
177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe
Resource
win10v2004-en-20220112
General
-
Target
177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe
-
Size
60KB
-
MD5
3086b03eabb93dfa6a07d41760dee729
-
SHA1
8a216429778cd750f3c775da80fb69fc64b8d5b3
-
SHA256
177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6
-
SHA512
1f16200c606f7503fd3e16981c53be675e5574d591606f4db94c0cd1947cee56dbee34d4999c4c3b52c95e03af6b426a13eed3173ba9e1109bccf6e6772fc1a2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1848 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exepid process 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exedescription pid process Token: SeIncBasePriorityPrivilege 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.execmd.exedescription pid process target process PID 832 wrote to memory of 1848 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe MediaCenter.exe PID 832 wrote to memory of 396 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe cmd.exe PID 832 wrote to memory of 396 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe cmd.exe PID 832 wrote to memory of 396 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe cmd.exe PID 832 wrote to memory of 396 832 177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe cmd.exe PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE PID 396 wrote to memory of 1972 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe"C:\Users\Admin\AppData\Local\Temp\177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\177322589e89ffc0c435bd665cd3b0e131c2e0cbbd45a5d069046e7336ba5df6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b35014c95d2b79d99993a263de4975d
SHA15cc548eab2ca3f09689c8d8fd0716c96d382244b
SHA256d54d2c5921c9148dbcc4a7d8f0a2ec653d6ae06233d1385790802b883678d0b9
SHA512e7173a9930a8a17207e6c284f435011928c255300d4012d61f5f3268187e3d05e775e2f34d4365189f4474c39d6f28a5694ce3d20ec2e38e46df9c6855d9dbe2
-
MD5
6b35014c95d2b79d99993a263de4975d
SHA15cc548eab2ca3f09689c8d8fd0716c96d382244b
SHA256d54d2c5921c9148dbcc4a7d8f0a2ec653d6ae06233d1385790802b883678d0b9
SHA512e7173a9930a8a17207e6c284f435011928c255300d4012d61f5f3268187e3d05e775e2f34d4365189f4474c39d6f28a5694ce3d20ec2e38e46df9c6855d9dbe2
-
MD5
6b35014c95d2b79d99993a263de4975d
SHA15cc548eab2ca3f09689c8d8fd0716c96d382244b
SHA256d54d2c5921c9148dbcc4a7d8f0a2ec653d6ae06233d1385790802b883678d0b9
SHA512e7173a9930a8a17207e6c284f435011928c255300d4012d61f5f3268187e3d05e775e2f34d4365189f4474c39d6f28a5694ce3d20ec2e38e46df9c6855d9dbe2