Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe
Resource
win10v2004-en-20220113
General
-
Target
17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe
-
Size
35KB
-
MD5
8cd003c17a446bb441b175ad3d53ca96
-
SHA1
a4292cc58f9438b7cd1fc1397163431435f67047
-
SHA256
17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0
-
SHA512
8aab17d98bac66326a78f3428e319a137522b26237fc16d750cac53b7995c8a25023d537594f823ea6a42219b7f2b2f5292ab659e8e944aba51ecf7b85cbf0b1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 956 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1176 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exepid process 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exedescription pid process Token: SeIncBasePriorityPrivilege 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.execmd.exedescription pid process target process PID 1884 wrote to memory of 956 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe MediaCenter.exe PID 1884 wrote to memory of 1176 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe cmd.exe PID 1884 wrote to memory of 1176 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe cmd.exe PID 1884 wrote to memory of 1176 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe cmd.exe PID 1884 wrote to memory of 1176 1884 17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe cmd.exe PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe"C:\Users\Admin\AppData\Local\Temp\17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17244ed1b05be640d503408ae000cf40a3ab8447dbd43647aae36275f403ebc0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a6e63497d39e9925c6295b736f055636
SHA17589239e2a84bd728d8d37f5d18e2117ee9fac06
SHA25642981b1452e25dfa0443f584494f538ab61e4d3cabaef91f90cd6bd7cd0a4292
SHA512046bf93b0749817d7e89e6e9cfc2c5d15aaccd7e5f5731c04f791f9016a9f2301eabcbe576a3cece9bdc288b0b477460b8ef78834388de8f6681fbb3025c3cb5
-
MD5
a6e63497d39e9925c6295b736f055636
SHA17589239e2a84bd728d8d37f5d18e2117ee9fac06
SHA25642981b1452e25dfa0443f584494f538ab61e4d3cabaef91f90cd6bd7cd0a4292
SHA512046bf93b0749817d7e89e6e9cfc2c5d15aaccd7e5f5731c04f791f9016a9f2301eabcbe576a3cece9bdc288b0b477460b8ef78834388de8f6681fbb3025c3cb5
-
MD5
a6e63497d39e9925c6295b736f055636
SHA17589239e2a84bd728d8d37f5d18e2117ee9fac06
SHA25642981b1452e25dfa0443f584494f538ab61e4d3cabaef91f90cd6bd7cd0a4292
SHA512046bf93b0749817d7e89e6e9cfc2c5d15aaccd7e5f5731c04f791f9016a9f2301eabcbe576a3cece9bdc288b0b477460b8ef78834388de8f6681fbb3025c3cb5