Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:34
Static task
static1
Behavioral task
behavioral1
Sample
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe
Resource
win10v2004-en-20220113
General
-
Target
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe
-
Size
60KB
-
MD5
45e06e9c8d003437f143609c4abb8010
-
SHA1
7dc81e173698acffcc56078bbc6ab3cba357744e
-
SHA256
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827
-
SHA512
d8f892eda8222a44e1f85e1f7114d7f569fb24a4006c64024adf223edddb29f13246089eee74fa6dcf4358c6b49677ff568503c5bb78a4cdd8f226839f13d508
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1144 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 764 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exepid process 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exedescription pid process Token: SeIncBasePriorityPrivilege 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.execmd.exedescription pid process target process PID 1572 wrote to memory of 1144 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe MediaCenter.exe PID 1572 wrote to memory of 1144 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe MediaCenter.exe PID 1572 wrote to memory of 1144 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe MediaCenter.exe PID 1572 wrote to memory of 1144 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe MediaCenter.exe PID 1572 wrote to memory of 764 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe cmd.exe PID 1572 wrote to memory of 764 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe cmd.exe PID 1572 wrote to memory of 764 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe cmd.exe PID 1572 wrote to memory of 764 1572 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe cmd.exe PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe"C:\Users\Admin\AppData\Local\Temp\174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6c3becef2a76e5768bd49ee8e22f1ba0
SHA1614b6a1d7ca2d1d7513065c266ce49216de09e19
SHA25648599cc72a8db5bc84191b4e1d99300eeb0dd77a3a377629213ac7d57b2275eb
SHA5123527ff292ea456f1868e33798bb5026813e459158839bc7c4464dcb074daa5330c2f8509424e09d2fcb64dddad8bcf6df485a6f441f57d01fdf1e5eea8ba8527
-
MD5
6c3becef2a76e5768bd49ee8e22f1ba0
SHA1614b6a1d7ca2d1d7513065c266ce49216de09e19
SHA25648599cc72a8db5bc84191b4e1d99300eeb0dd77a3a377629213ac7d57b2275eb
SHA5123527ff292ea456f1868e33798bb5026813e459158839bc7c4464dcb074daa5330c2f8509424e09d2fcb64dddad8bcf6df485a6f441f57d01fdf1e5eea8ba8527
-
MD5
6c3becef2a76e5768bd49ee8e22f1ba0
SHA1614b6a1d7ca2d1d7513065c266ce49216de09e19
SHA25648599cc72a8db5bc84191b4e1d99300eeb0dd77a3a377629213ac7d57b2275eb
SHA5123527ff292ea456f1868e33798bb5026813e459158839bc7c4464dcb074daa5330c2f8509424e09d2fcb64dddad8bcf6df485a6f441f57d01fdf1e5eea8ba8527