Analysis
-
max time kernel
146s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:37
Static task
static1
Behavioral task
behavioral1
Sample
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe
Resource
win10v2004-en-20220113
General
-
Target
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe
-
Size
36KB
-
MD5
98b7e6a2cd93decea71d84f4ba29194e
-
SHA1
f1b03589d35cf0d6aaae07474761246d3929647c
-
SHA256
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c
-
SHA512
ff23d0728812ec517a0c2be22204b6d668719bf04a29329bc2429826e1a20e7fe9e55067ab84b8e8322a8feb0def25f896835dbbf981c41975db0dc03ae2b5e6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exepid process 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.execmd.exedescription pid process target process PID 1204 wrote to memory of 1600 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe MediaCenter.exe PID 1204 wrote to memory of 1528 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe cmd.exe PID 1204 wrote to memory of 1528 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe cmd.exe PID 1204 wrote to memory of 1528 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe cmd.exe PID 1204 wrote to memory of 1528 1204 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe cmd.exe PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe"C:\Users\Admin\AppData\Local\Temp\172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f511685028a8f0265ecb2c3341f08fd3
SHA16e27e1e5ab35caf96629f516798d963e3cbe15e2
SHA25697ca294a18ea9abc88a106830f279043daab5e55d61187667acae8589d3f7e57
SHA51233bc2939fa0396eb9c4679b9e3754bb9ee3530a13caaa2356a3c0abac33432c7f10cc629a38fd106d48a831fc1736487bb2efd3f9cae8b122cf0a68f96bb0e8f
-
MD5
f511685028a8f0265ecb2c3341f08fd3
SHA16e27e1e5ab35caf96629f516798d963e3cbe15e2
SHA25697ca294a18ea9abc88a106830f279043daab5e55d61187667acae8589d3f7e57
SHA51233bc2939fa0396eb9c4679b9e3754bb9ee3530a13caaa2356a3c0abac33432c7f10cc629a38fd106d48a831fc1736487bb2efd3f9cae8b122cf0a68f96bb0e8f
-
MD5
f511685028a8f0265ecb2c3341f08fd3
SHA16e27e1e5ab35caf96629f516798d963e3cbe15e2
SHA25697ca294a18ea9abc88a106830f279043daab5e55d61187667acae8589d3f7e57
SHA51233bc2939fa0396eb9c4679b9e3754bb9ee3530a13caaa2356a3c0abac33432c7f10cc629a38fd106d48a831fc1736487bb2efd3f9cae8b122cf0a68f96bb0e8f