Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:37
Static task
static1
Behavioral task
behavioral1
Sample
17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe
Resource
win10v2004-en-20220112
General
-
Target
17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe
-
Size
58KB
-
MD5
7c1da6ca130d89909a74ad48831a0f7d
-
SHA1
4c772b5e01a92d167458a2c1eb1358433c2e14a7
-
SHA256
17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6
-
SHA512
6a909c6dc75f5941050edd7c7967906cf0d1a7b80942a3b3d36faad11b105d425c891f1f11ab576d5ac677e497d954884b249df94620f9ca2fccd0b64c81649f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1536 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exepid process 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exedescription pid process Token: SeIncBasePriorityPrivilege 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.execmd.exedescription pid process target process PID 1508 wrote to memory of 1520 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe MediaCenter.exe PID 1508 wrote to memory of 1520 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe MediaCenter.exe PID 1508 wrote to memory of 1520 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe MediaCenter.exe PID 1508 wrote to memory of 1520 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe MediaCenter.exe PID 1508 wrote to memory of 1536 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe cmd.exe PID 1508 wrote to memory of 1536 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe cmd.exe PID 1508 wrote to memory of 1536 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe cmd.exe PID 1508 wrote to memory of 1536 1508 17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe cmd.exe PID 1536 wrote to memory of 1648 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 1648 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 1648 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 1648 1536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe"C:\Users\Admin\AppData\Local\Temp\17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17293ae7e773513b9b440a01d25572dfee40973d5f5997186d417743d36ac0c6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5ff4d1bb17d04865c5f3d2a77eb2966e
SHA1ae17f052651efc8eecc9a69331fce212c6d998de
SHA256f1ad5dbba1b1493c9791015364048928835c8800424a2c7d0a183129a4827146
SHA5129e9cae7197702bd235a73873b94ccb35d8503bd32be1f549b8a4ba0b941768cf8a2f77ac16657be706230b514dd554c370dece23e4165fc3c1448950d21ff2f9
-
MD5
5ff4d1bb17d04865c5f3d2a77eb2966e
SHA1ae17f052651efc8eecc9a69331fce212c6d998de
SHA256f1ad5dbba1b1493c9791015364048928835c8800424a2c7d0a183129a4827146
SHA5129e9cae7197702bd235a73873b94ccb35d8503bd32be1f549b8a4ba0b941768cf8a2f77ac16657be706230b514dd554c370dece23e4165fc3c1448950d21ff2f9
-
MD5
5ff4d1bb17d04865c5f3d2a77eb2966e
SHA1ae17f052651efc8eecc9a69331fce212c6d998de
SHA256f1ad5dbba1b1493c9791015364048928835c8800424a2c7d0a183129a4827146
SHA5129e9cae7197702bd235a73873b94ccb35d8503bd32be1f549b8a4ba0b941768cf8a2f77ac16657be706230b514dd554c370dece23e4165fc3c1448950d21ff2f9