Analysis
-
max time kernel
136s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:42
Static task
static1
Behavioral task
behavioral1
Sample
16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe
Resource
win10v2004-en-20220112
General
-
Target
16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe
-
Size
36KB
-
MD5
83d8217b0453591545e1e492b9ba00b2
-
SHA1
aa769230829e142b76a46f68a2a1a035b074a7f4
-
SHA256
16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2
-
SHA512
72a59a78deb507daf40a1906f93d338d37894b1ee546f6678bce5b926a47c3ead36d17e70b78c337c3c6e0f5beb02124f1e45d3c015484ffefa3f75cf847d6cf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 304 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1088 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exepid process 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exedescription pid process Token: SeIncBasePriorityPrivilege 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.execmd.exedescription pid process target process PID 1772 wrote to memory of 304 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe MediaCenter.exe PID 1772 wrote to memory of 1088 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe cmd.exe PID 1772 wrote to memory of 1088 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe cmd.exe PID 1772 wrote to memory of 1088 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe cmd.exe PID 1772 wrote to memory of 1088 1772 16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe cmd.exe PID 1088 wrote to memory of 1836 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1836 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1836 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1836 1088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe"C:\Users\Admin\AppData\Local\Temp\16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16ed4c37b883e137e1d39c6ebaa3140e53867ef2bc0e9bc900bfad48a4fcf7d2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7f0a18b1b0c25ea3d37fac35dd03219d
SHA1910bb19e181df1ab034fda707fef3f03792fdc9c
SHA256afb7641005630cb7157fdd17d379d0e26a0bab2798f56a59ad83ecbd97b72324
SHA512bf151db1bf263adc1aa21a8847862f26c528c76588aca8695eed353e4053a9dc37e25f4319a90b7a39c0b7c7507475bb7fc1cd3fd49ac278f397e0a8b0c3a926
-
MD5
7f0a18b1b0c25ea3d37fac35dd03219d
SHA1910bb19e181df1ab034fda707fef3f03792fdc9c
SHA256afb7641005630cb7157fdd17d379d0e26a0bab2798f56a59ad83ecbd97b72324
SHA512bf151db1bf263adc1aa21a8847862f26c528c76588aca8695eed353e4053a9dc37e25f4319a90b7a39c0b7c7507475bb7fc1cd3fd49ac278f397e0a8b0c3a926
-
MD5
7f0a18b1b0c25ea3d37fac35dd03219d
SHA1910bb19e181df1ab034fda707fef3f03792fdc9c
SHA256afb7641005630cb7157fdd17d379d0e26a0bab2798f56a59ad83ecbd97b72324
SHA512bf151db1bf263adc1aa21a8847862f26c528c76588aca8695eed353e4053a9dc37e25f4319a90b7a39c0b7c7507475bb7fc1cd3fd49ac278f397e0a8b0c3a926