Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:32
Static task
static1
Behavioral task
behavioral1
Sample
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe
Resource
win10v2004-en-20220113
General
-
Target
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe
-
Size
58KB
-
MD5
ee05a7b800720f11ca578650a9ffe380
-
SHA1
30708704c48cafe9f58196ce35bede267942a36f
-
SHA256
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591
-
SHA512
1f73705833d933a10dc84e79703b704b42200412f68ff183911e349ec3f4da4e65680565523f017258992a329c896912c17b02af0c613843ca90cc9394859ee9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 808 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 856 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exepid process 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exedescription pid process Token: SeIncBasePriorityPrivilege 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.execmd.exedescription pid process target process PID 1520 wrote to memory of 808 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe MediaCenter.exe PID 1520 wrote to memory of 808 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe MediaCenter.exe PID 1520 wrote to memory of 808 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe MediaCenter.exe PID 1520 wrote to memory of 808 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe MediaCenter.exe PID 1520 wrote to memory of 856 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe cmd.exe PID 1520 wrote to memory of 856 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe cmd.exe PID 1520 wrote to memory of 856 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe cmd.exe PID 1520 wrote to memory of 856 1520 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe cmd.exe PID 856 wrote to memory of 1120 856 cmd.exe PING.EXE PID 856 wrote to memory of 1120 856 cmd.exe PING.EXE PID 856 wrote to memory of 1120 856 cmd.exe PING.EXE PID 856 wrote to memory of 1120 856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe"C:\Users\Admin\AppData\Local\Temp\1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f2be12c8b63df9631c1071afa2f9201a
SHA16b56421712ec3710616a02a45838274e55167b00
SHA2563536474c2926a6e78044e93978d0c0191128e884d3dc681b43ddb785e4909ca8
SHA51201b50bc9969b4e3d609e93e2b1dde09f24504d3d0602d49860f5af30b07327a667aa38b592a89f93d16fa92b102929b2812099a2d4c47287a88a82282cc23cc6
-
MD5
f2be12c8b63df9631c1071afa2f9201a
SHA16b56421712ec3710616a02a45838274e55167b00
SHA2563536474c2926a6e78044e93978d0c0191128e884d3dc681b43ddb785e4909ca8
SHA51201b50bc9969b4e3d609e93e2b1dde09f24504d3d0602d49860f5af30b07327a667aa38b592a89f93d16fa92b102929b2812099a2d4c47287a88a82282cc23cc6
-
MD5
f2be12c8b63df9631c1071afa2f9201a
SHA16b56421712ec3710616a02a45838274e55167b00
SHA2563536474c2926a6e78044e93978d0c0191128e884d3dc681b43ddb785e4909ca8
SHA51201b50bc9969b4e3d609e93e2b1dde09f24504d3d0602d49860f5af30b07327a667aa38b592a89f93d16fa92b102929b2812099a2d4c47287a88a82282cc23cc6