Analysis
-
max time kernel
122s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:35
Static task
static1
Behavioral task
behavioral1
Sample
17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe
Resource
win10v2004-en-20220113
General
-
Target
17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe
-
Size
60KB
-
MD5
255f7bd92f459dc2259f2a50d55c7d1d
-
SHA1
c108c1980b40fdbfb250a18a540d5d25512aefce
-
SHA256
17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6
-
SHA512
c10262cdc393820fec5c9f09ad8c3054fba6a946d826b078a36d29b7f3ca81408db8935c9a7e792163fa7efcd4782c87a724881ba6d6a66ecc329c357f8422a4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1536 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1800 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exepid process 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exedescription pid process Token: SeIncBasePriorityPrivilege 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.execmd.exedescription pid process target process PID 1732 wrote to memory of 1536 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe MediaCenter.exe PID 1732 wrote to memory of 1536 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe MediaCenter.exe PID 1732 wrote to memory of 1536 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe MediaCenter.exe PID 1732 wrote to memory of 1536 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe MediaCenter.exe PID 1732 wrote to memory of 1800 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe cmd.exe PID 1732 wrote to memory of 1800 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe cmd.exe PID 1732 wrote to memory of 1800 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe cmd.exe PID 1732 wrote to memory of 1800 1732 17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe cmd.exe PID 1800 wrote to memory of 1820 1800 cmd.exe PING.EXE PID 1800 wrote to memory of 1820 1800 cmd.exe PING.EXE PID 1800 wrote to memory of 1820 1800 cmd.exe PING.EXE PID 1800 wrote to memory of 1820 1800 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe"C:\Users\Admin\AppData\Local\Temp\17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17413be28964600f61668ddf02561380d8527e8a31953b235a370227cf5b2ef6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
14ce1c8d3ea60e156b8f2db996a51b39
SHA117feb61237f60afe39f9905a346027e94e97fb93
SHA2563ed0a0cfcc6282b5c51333c47e2ad5a107fe2223d35e7245a8eea0062394593e
SHA51238ea79ca55bc1393065b4cd58f9e9ffafe74589697089cc96f20c0c951328ab161080d8dec42fbdee0efa7b953ebb9dd7eedcd9dd6c8ce8a265956c99683b9c2
-
MD5
14ce1c8d3ea60e156b8f2db996a51b39
SHA117feb61237f60afe39f9905a346027e94e97fb93
SHA2563ed0a0cfcc6282b5c51333c47e2ad5a107fe2223d35e7245a8eea0062394593e
SHA51238ea79ca55bc1393065b4cd58f9e9ffafe74589697089cc96f20c0c951328ab161080d8dec42fbdee0efa7b953ebb9dd7eedcd9dd6c8ce8a265956c99683b9c2
-
MD5
14ce1c8d3ea60e156b8f2db996a51b39
SHA117feb61237f60afe39f9905a346027e94e97fb93
SHA2563ed0a0cfcc6282b5c51333c47e2ad5a107fe2223d35e7245a8eea0062394593e
SHA51238ea79ca55bc1393065b4cd58f9e9ffafe74589697089cc96f20c0c951328ab161080d8dec42fbdee0efa7b953ebb9dd7eedcd9dd6c8ce8a265956c99683b9c2