Analysis
-
max time kernel
133s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:20
Static task
static1
Behavioral task
behavioral1
Sample
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe
Resource
win10v2004-en-20220113
General
-
Target
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe
-
Size
60KB
-
MD5
9d8c0111a81c0f9ec945597467d7167f
-
SHA1
aad4d5baab10ebb2ac71e7857849456d22aa452a
-
SHA256
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34
-
SHA512
662402ff021d1d36504a3c392d9aca76f4a0fc199c8df3b6d5e7d46637689211d241b70a67ade624961a9c8067df786e206c67aa40323d501f17baf3d172f2bd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1928 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exepid process 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exedescription pid process Token: SeIncBasePriorityPrivilege 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.execmd.exedescription pid process target process PID 1320 wrote to memory of 1652 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe MediaCenter.exe PID 1320 wrote to memory of 1928 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe cmd.exe PID 1320 wrote to memory of 1928 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe cmd.exe PID 1320 wrote to memory of 1928 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe cmd.exe PID 1320 wrote to memory of 1928 1320 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe cmd.exe PID 1928 wrote to memory of 1568 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1568 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1568 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1568 1928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe"C:\Users\Admin\AppData\Local\Temp\17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c2bfa8c479ede328f3d7a84d16d2d683
SHA12c7bc69dd0b830cf473347ec7e6036484fec5167
SHA256e031707a94b8596e1119a13d89cc8758886add8d98962d764f8bd52c29237378
SHA512ac25550a0f58f332f98cf5525f7ffa237db9b2dd4247e8e2f8389101bd9d4ea76ca2dfac9c060690b2c80a779b8643bfd3b0995b7fdab785577d2e1a3c40d582
-
MD5
c2bfa8c479ede328f3d7a84d16d2d683
SHA12c7bc69dd0b830cf473347ec7e6036484fec5167
SHA256e031707a94b8596e1119a13d89cc8758886add8d98962d764f8bd52c29237378
SHA512ac25550a0f58f332f98cf5525f7ffa237db9b2dd4247e8e2f8389101bd9d4ea76ca2dfac9c060690b2c80a779b8643bfd3b0995b7fdab785577d2e1a3c40d582
-
MD5
c2bfa8c479ede328f3d7a84d16d2d683
SHA12c7bc69dd0b830cf473347ec7e6036484fec5167
SHA256e031707a94b8596e1119a13d89cc8758886add8d98962d764f8bd52c29237378
SHA512ac25550a0f58f332f98cf5525f7ffa237db9b2dd4247e8e2f8389101bd9d4ea76ca2dfac9c060690b2c80a779b8643bfd3b0995b7fdab785577d2e1a3c40d582