Analysis
-
max time kernel
135s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:24
Static task
static1
Behavioral task
behavioral1
Sample
17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe
Resource
win10v2004-en-20220112
General
-
Target
17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe
-
Size
36KB
-
MD5
4549dbda12eef5539ed4ab19888e0b46
-
SHA1
7e9a2bf7ba4861416b4f498b8f08398832b1970f
-
SHA256
17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d
-
SHA512
c4fb5385c2d4395a0b586d15b874224262a3aef45b96a8a3cfc32a1b61800b490224b3917b1b23bd45e4f41a8b8bd4beb76c34479ad01feb2123ff300358ac12
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 792 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 612 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exepid process 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exedescription pid process Token: SeIncBasePriorityPrivilege 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.execmd.exedescription pid process target process PID 952 wrote to memory of 792 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe MediaCenter.exe PID 952 wrote to memory of 792 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe MediaCenter.exe PID 952 wrote to memory of 792 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe MediaCenter.exe PID 952 wrote to memory of 792 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe MediaCenter.exe PID 952 wrote to memory of 612 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe cmd.exe PID 952 wrote to memory of 612 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe cmd.exe PID 952 wrote to memory of 612 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe cmd.exe PID 952 wrote to memory of 612 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe cmd.exe PID 612 wrote to memory of 1612 612 cmd.exe PING.EXE PID 612 wrote to memory of 1612 612 cmd.exe PING.EXE PID 612 wrote to memory of 1612 612 cmd.exe PING.EXE PID 612 wrote to memory of 1612 612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe"C:\Users\Admin\AppData\Local\Temp\17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
61a82e3021dc7bea71f1b7c8a08ee931
SHA1a13347c2a4b7311e3cf0d24500982e7fcf7338e4
SHA2565b4cb23983a41a8ec020cc7fdcfc225eee9b696a503f1655f0db8c58e39d2c20
SHA512dc3e48f29d0900ea39a18807c47bda44e4a8149271f772d331c195400c687f263dd8e3a9dac114db8d09ae5de973a49e37e94159b806159e20bb3a9b48a38963
-
MD5
61a82e3021dc7bea71f1b7c8a08ee931
SHA1a13347c2a4b7311e3cf0d24500982e7fcf7338e4
SHA2565b4cb23983a41a8ec020cc7fdcfc225eee9b696a503f1655f0db8c58e39d2c20
SHA512dc3e48f29d0900ea39a18807c47bda44e4a8149271f772d331c195400c687f263dd8e3a9dac114db8d09ae5de973a49e37e94159b806159e20bb3a9b48a38963
-
MD5
61a82e3021dc7bea71f1b7c8a08ee931
SHA1a13347c2a4b7311e3cf0d24500982e7fcf7338e4
SHA2565b4cb23983a41a8ec020cc7fdcfc225eee9b696a503f1655f0db8c58e39d2c20
SHA512dc3e48f29d0900ea39a18807c47bda44e4a8149271f772d331c195400c687f263dd8e3a9dac114db8d09ae5de973a49e37e94159b806159e20bb3a9b48a38963