Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe
Resource
win10v2004-en-20220113
General
-
Target
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe
-
Size
36KB
-
MD5
4d0b4d2202776de197ba86e39a84b518
-
SHA1
9d40329effacfa12d5c87b2f3c1116adb08d42f9
-
SHA256
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646
-
SHA512
44217ee231a1a98a747256dde4ebadeb7a53a41f8002dc1d6b71612a8cc740188edb44bdff1d470d9a10501d42abe69845d0c1ab34d0de0ed56e29f5b9296598
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exepid process 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exedescription pid process Token: SeIncBasePriorityPrivilege 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.execmd.exedescription pid process target process PID 1176 wrote to memory of 524 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe MediaCenter.exe PID 1176 wrote to memory of 524 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe MediaCenter.exe PID 1176 wrote to memory of 524 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe MediaCenter.exe PID 1176 wrote to memory of 524 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe MediaCenter.exe PID 1176 wrote to memory of 820 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe cmd.exe PID 1176 wrote to memory of 820 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe cmd.exe PID 1176 wrote to memory of 820 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe cmd.exe PID 1176 wrote to memory of 820 1176 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe cmd.exe PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe"C:\Users\Admin\AppData\Local\Temp\17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5416142ef2ecc1ec34d1acf3bc8e4fc3
SHA15f4afac52a3c39175e58faa6fd9299269113bd14
SHA2560d47d8b7a93f3618424a08ff0cad6668f76380bee3d26587d607f27eb7282594
SHA512b1fe3f50a1377ff3d02b1f5f13f1776fe0c638fce03ad16cd61848f96464b20a24f9ec65c522130380ac93086e690cb06395ca187d6bbf5ef000810ff31e9145
-
MD5
5416142ef2ecc1ec34d1acf3bc8e4fc3
SHA15f4afac52a3c39175e58faa6fd9299269113bd14
SHA2560d47d8b7a93f3618424a08ff0cad6668f76380bee3d26587d607f27eb7282594
SHA512b1fe3f50a1377ff3d02b1f5f13f1776fe0c638fce03ad16cd61848f96464b20a24f9ec65c522130380ac93086e690cb06395ca187d6bbf5ef000810ff31e9145
-
MD5
5416142ef2ecc1ec34d1acf3bc8e4fc3
SHA15f4afac52a3c39175e58faa6fd9299269113bd14
SHA2560d47d8b7a93f3618424a08ff0cad6668f76380bee3d26587d607f27eb7282594
SHA512b1fe3f50a1377ff3d02b1f5f13f1776fe0c638fce03ad16cd61848f96464b20a24f9ec65c522130380ac93086e690cb06395ca187d6bbf5ef000810ff31e9145