Analysis
-
max time kernel
150s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:34
Static task
static1
Behavioral task
behavioral1
Sample
174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe
Resource
win10v2004-en-20220112
General
-
Target
174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe
-
Size
60KB
-
MD5
12d784fbc37637cf833bd595a2fafd06
-
SHA1
e79effa851ee41fe6745113de308941894b54c9b
-
SHA256
174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36
-
SHA512
a1e556a3bf94ce6eaf255c6a828f2c30ab83624fd7914f7fc83d08853e4d0cf48ed87245e368283b27e025709558857a2bdc0cde4b4a756b4e750c3f7832aca8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 980 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exepid process 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.execmd.exedescription pid process target process PID 1204 wrote to memory of 1600 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe MediaCenter.exe PID 1204 wrote to memory of 980 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe cmd.exe PID 1204 wrote to memory of 980 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe cmd.exe PID 1204 wrote to memory of 980 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe cmd.exe PID 1204 wrote to memory of 980 1204 174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe cmd.exe PID 980 wrote to memory of 968 980 cmd.exe PING.EXE PID 980 wrote to memory of 968 980 cmd.exe PING.EXE PID 980 wrote to memory of 968 980 cmd.exe PING.EXE PID 980 wrote to memory of 968 980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe"C:\Users\Admin\AppData\Local\Temp\174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\174f5ffd59d8cbffb38a58cd1fd530a14a19a5deb60987b54cba9a46052c5d36.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
df9b4e1a7ffdd487555e55614f39e212
SHA19606ed7ab067ace4ba300df9d7fc96f051042dbb
SHA2566db0cde7fe3cb3dde9fdb7f4a7c520de029a831b92f5dd35a0ebe3341fc3da9d
SHA512b57c73e61381f0b0dfe305374860935e4d1ab52e5d961619b4fbfb7fa90a70551ae94a23297dee3bb4b15a6321b424b458ece9f61a0fb2c0a25a63bfdd113a76
-
MD5
df9b4e1a7ffdd487555e55614f39e212
SHA19606ed7ab067ace4ba300df9d7fc96f051042dbb
SHA2566db0cde7fe3cb3dde9fdb7f4a7c520de029a831b92f5dd35a0ebe3341fc3da9d
SHA512b57c73e61381f0b0dfe305374860935e4d1ab52e5d961619b4fbfb7fa90a70551ae94a23297dee3bb4b15a6321b424b458ece9f61a0fb2c0a25a63bfdd113a76
-
MD5
df9b4e1a7ffdd487555e55614f39e212
SHA19606ed7ab067ace4ba300df9d7fc96f051042dbb
SHA2566db0cde7fe3cb3dde9fdb7f4a7c520de029a831b92f5dd35a0ebe3341fc3da9d
SHA512b57c73e61381f0b0dfe305374860935e4d1ab52e5d961619b4fbfb7fa90a70551ae94a23297dee3bb4b15a6321b424b458ece9f61a0fb2c0a25a63bfdd113a76