Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:41
Static task
static1
Behavioral task
behavioral1
Sample
16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe
Resource
win10v2004-en-20220112
General
-
Target
16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe
-
Size
36KB
-
MD5
e38b889bd8ce530aab35327d85cf0266
-
SHA1
6e7f2b60a9d65edf056a669707044382654e6ef7
-
SHA256
16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a
-
SHA512
292b4e94b5b74e7df431e434497a7c562bc78852456b402ae9d9c530600a103306ed7fc59c9e5445600ebda5a0c8be6ab17178784c890927bfe63f9e130634f2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1544 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exepid process 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.execmd.exedescription pid process target process PID 1664 wrote to memory of 1544 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe MediaCenter.exe PID 1664 wrote to memory of 1544 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe MediaCenter.exe PID 1664 wrote to memory of 1544 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe MediaCenter.exe PID 1664 wrote to memory of 1544 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe MediaCenter.exe PID 1664 wrote to memory of 1980 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe cmd.exe PID 1664 wrote to memory of 1980 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe cmd.exe PID 1664 wrote to memory of 1980 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe cmd.exe PID 1664 wrote to memory of 1980 1664 16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe cmd.exe PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe"C:\Users\Admin\AppData\Local\Temp\16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
141ae5d498f7030f43b8dc5501dab218
SHA14307c52d8cb07beb2e3e31f83b0660de7f23cf0e
SHA2564437062cc9ded509ce2e717c449d079897efa9f6bcec47b3875984c237e02b16
SHA512acca030fabb55c8050a9b7480f4733064d043ba09d8a2d1beacc8d55758c9e0ef0d0f2c124ec20ce1e6299de5d6a2c91bf067e040d49cf68ba6a3f94b19b956e
-
MD5
141ae5d498f7030f43b8dc5501dab218
SHA14307c52d8cb07beb2e3e31f83b0660de7f23cf0e
SHA2564437062cc9ded509ce2e717c449d079897efa9f6bcec47b3875984c237e02b16
SHA512acca030fabb55c8050a9b7480f4733064d043ba09d8a2d1beacc8d55758c9e0ef0d0f2c124ec20ce1e6299de5d6a2c91bf067e040d49cf68ba6a3f94b19b956e
-
MD5
141ae5d498f7030f43b8dc5501dab218
SHA14307c52d8cb07beb2e3e31f83b0660de7f23cf0e
SHA2564437062cc9ded509ce2e717c449d079897efa9f6bcec47b3875984c237e02b16
SHA512acca030fabb55c8050a9b7480f4733064d043ba09d8a2d1beacc8d55758c9e0ef0d0f2c124ec20ce1e6299de5d6a2c91bf067e040d49cf68ba6a3f94b19b956e