Analysis
-
max time kernel
161s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe
Resource
win10v2004-en-20220113
General
-
Target
17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe
-
Size
58KB
-
MD5
5c7231bd8c8a5afc8a038e5ecdb6feec
-
SHA1
765dca4d22a61355ab344f349ad0c46549896c0d
-
SHA256
17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f
-
SHA512
b11f5910fac5a32d1647e13ffabb6ba8e4ff0dfd383ec6fc2dbf49c8a3303d8e5ffaf5a8522cf2ca8daf96961a8a53f76e3071c27f1711f43ec6d7e8281e392c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1924 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1620 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exepid process 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exedescription pid process Token: SeIncBasePriorityPrivilege 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.execmd.exedescription pid process target process PID 1040 wrote to memory of 1924 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe MediaCenter.exe PID 1040 wrote to memory of 1620 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe cmd.exe PID 1040 wrote to memory of 1620 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe cmd.exe PID 1040 wrote to memory of 1620 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe cmd.exe PID 1040 wrote to memory of 1620 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe cmd.exe PID 1620 wrote to memory of 1872 1620 cmd.exe PING.EXE PID 1620 wrote to memory of 1872 1620 cmd.exe PING.EXE PID 1620 wrote to memory of 1872 1620 cmd.exe PING.EXE PID 1620 wrote to memory of 1872 1620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe"C:\Users\Admin\AppData\Local\Temp\17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
77d0f9568ee684f04c7389ffcfa8bb66
SHA133ca5d9a2121eb33624ee92397d171ac3882cee4
SHA256693a4d24bad87a260fd17c01e53b869a15a0c11d429fcb27923e7076d83a842d
SHA5129bae486c0e99f844ffc4cec1adfcac9e3721093a3503ed9cbc1cf4cf179e5d965ebe25fa3d1fb12e27da9b0b30c684fd3f83df112f47e75f73c41475d1d02bee
-
MD5
77d0f9568ee684f04c7389ffcfa8bb66
SHA133ca5d9a2121eb33624ee92397d171ac3882cee4
SHA256693a4d24bad87a260fd17c01e53b869a15a0c11d429fcb27923e7076d83a842d
SHA5129bae486c0e99f844ffc4cec1adfcac9e3721093a3503ed9cbc1cf4cf179e5d965ebe25fa3d1fb12e27da9b0b30c684fd3f83df112f47e75f73c41475d1d02bee
-
MD5
77d0f9568ee684f04c7389ffcfa8bb66
SHA133ca5d9a2121eb33624ee92397d171ac3882cee4
SHA256693a4d24bad87a260fd17c01e53b869a15a0c11d429fcb27923e7076d83a842d
SHA5129bae486c0e99f844ffc4cec1adfcac9e3721093a3503ed9cbc1cf4cf179e5d965ebe25fa3d1fb12e27da9b0b30c684fd3f83df112f47e75f73c41475d1d02bee