Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:30
Static task
static1
Behavioral task
behavioral1
Sample
17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe
Resource
win10v2004-en-20220113
General
-
Target
17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe
-
Size
60KB
-
MD5
2a0b0fc0d3280338e7b3df79d0bac6db
-
SHA1
67a64ca1307574752fd6fd4b7b30d5742d4948f3
-
SHA256
17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42
-
SHA512
b674ad5ed61f60328f8840d3c7b56d295fbfaf1690e9f5a81f1d7c26220fc83d429acebf4225c3cf5677f26e25e63fa61706946c2b362a8c5fc200ecaef49b74
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 832 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 308 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exepid process 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exedescription pid process Token: SeIncBasePriorityPrivilege 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.execmd.exedescription pid process target process PID 1292 wrote to memory of 832 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe MediaCenter.exe PID 1292 wrote to memory of 832 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe MediaCenter.exe PID 1292 wrote to memory of 832 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe MediaCenter.exe PID 1292 wrote to memory of 832 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe MediaCenter.exe PID 1292 wrote to memory of 308 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe cmd.exe PID 1292 wrote to memory of 308 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe cmd.exe PID 1292 wrote to memory of 308 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe cmd.exe PID 1292 wrote to memory of 308 1292 17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe cmd.exe PID 308 wrote to memory of 1100 308 cmd.exe PING.EXE PID 308 wrote to memory of 1100 308 cmd.exe PING.EXE PID 308 wrote to memory of 1100 308 cmd.exe PING.EXE PID 308 wrote to memory of 1100 308 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe"C:\Users\Admin\AppData\Local\Temp\17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17796927a7cc1c7532e760970ced206403010821e09ebccde5382fbe47052f42.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b8163ff4992f8993bc35cfed82b65df3
SHA1ee70d4136156f46e10abd12d6394322dc7c1e68b
SHA256609c7adff3a048302dc0a8a4f7472596dc97ca125a6f74795fa32957a7afb267
SHA51246c91c9abe9b02ffe590df8faabc690945aa4997ed10d6e1d119891a3095f61bee75688582bf3eadbad979a193a4dca690d2c87eabc1a6dc6e29429d2e4b0700
-
MD5
b8163ff4992f8993bc35cfed82b65df3
SHA1ee70d4136156f46e10abd12d6394322dc7c1e68b
SHA256609c7adff3a048302dc0a8a4f7472596dc97ca125a6f74795fa32957a7afb267
SHA51246c91c9abe9b02ffe590df8faabc690945aa4997ed10d6e1d119891a3095f61bee75688582bf3eadbad979a193a4dca690d2c87eabc1a6dc6e29429d2e4b0700
-
MD5
b8163ff4992f8993bc35cfed82b65df3
SHA1ee70d4136156f46e10abd12d6394322dc7c1e68b
SHA256609c7adff3a048302dc0a8a4f7472596dc97ca125a6f74795fa32957a7afb267
SHA51246c91c9abe9b02ffe590df8faabc690945aa4997ed10d6e1d119891a3095f61bee75688582bf3eadbad979a193a4dca690d2c87eabc1a6dc6e29429d2e4b0700