Analysis
-
max time kernel
122s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe
Resource
win10v2004-en-20220112
General
-
Target
1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe
-
Size
60KB
-
MD5
3fc2f2819b63dcd567fd097605ccb041
-
SHA1
ea328f52f90c304b2776932bd464928bc3d80730
-
SHA256
1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b
-
SHA512
05b1847d27bad5828df9381924267a9a508a23b0ad7ad32fc71b94a33df049ef3577a3d54001b0cb66d716a3232b35789584e49a2e3a54ed8eb903849a74b7d3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 452 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exepid process 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exedescription pid process Token: SeIncBasePriorityPrivilege 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.execmd.exedescription pid process target process PID 1340 wrote to memory of 1656 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe MediaCenter.exe PID 1340 wrote to memory of 1656 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe MediaCenter.exe PID 1340 wrote to memory of 452 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe cmd.exe PID 1340 wrote to memory of 452 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe cmd.exe PID 1340 wrote to memory of 452 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe cmd.exe PID 1340 wrote to memory of 452 1340 1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe cmd.exe PID 452 wrote to memory of 740 452 cmd.exe PING.EXE PID 452 wrote to memory of 740 452 cmd.exe PING.EXE PID 452 wrote to memory of 740 452 cmd.exe PING.EXE PID 452 wrote to memory of 740 452 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe"C:\Users\Admin\AppData\Local\Temp\1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1708e3af703e92b6479c4f51ef8b72ef83fa6043a116ef2f4adf7abdf16b7a4b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
915fa868502b6d70604ead731ab59b74
SHA16680271678a1438bc4b0cc57fb5649f1b5b3f547
SHA256f7b610dc44667080c0de8b37ead1c6c9f5e08b4e822f0ea6a756624d6046451b
SHA512f35b8247b083ed5ea10ff37c59a23857b22b9fb4831945d78d05a691a93b608a6b8b261efd908158b6c2fa8fcf30c16bb03f32caec5238db9e6b76d847ebf08c
-
MD5
915fa868502b6d70604ead731ab59b74
SHA16680271678a1438bc4b0cc57fb5649f1b5b3f547
SHA256f7b610dc44667080c0de8b37ead1c6c9f5e08b4e822f0ea6a756624d6046451b
SHA512f35b8247b083ed5ea10ff37c59a23857b22b9fb4831945d78d05a691a93b608a6b8b261efd908158b6c2fa8fcf30c16bb03f32caec5238db9e6b76d847ebf08c
-
MD5
915fa868502b6d70604ead731ab59b74
SHA16680271678a1438bc4b0cc57fb5649f1b5b3f547
SHA256f7b610dc44667080c0de8b37ead1c6c9f5e08b4e822f0ea6a756624d6046451b
SHA512f35b8247b083ed5ea10ff37c59a23857b22b9fb4831945d78d05a691a93b608a6b8b261efd908158b6c2fa8fcf30c16bb03f32caec5238db9e6b76d847ebf08c