Analysis
-
max time kernel
117s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:26
Static task
static1
Behavioral task
behavioral1
Sample
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe
Resource
win10v2004-en-20220113
General
-
Target
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe
-
Size
35KB
-
MD5
4889443e1899077b93dc8af4a117580e
-
SHA1
63f2bdd9f5a7d0f51a12a11b171a41bfdae2599c
-
SHA256
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713
-
SHA512
23e3ccacf6820f514021eeb2582ff2603d06adeee4a32a14780b985a5c229a7f0157b6a146499e579266d3180ae4d6d2b3caa4ba67230535722a29b203ee4d2a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exepid process 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exedescription pid process Token: SeIncBasePriorityPrivilege 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.execmd.exedescription pid process target process PID 1548 wrote to memory of 1608 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe MediaCenter.exe PID 1548 wrote to memory of 1532 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe cmd.exe PID 1548 wrote to memory of 1532 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe cmd.exe PID 1548 wrote to memory of 1532 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe cmd.exe PID 1548 wrote to memory of 1532 1548 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe cmd.exe PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe"C:\Users\Admin\AppData\Local\Temp\179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8136c6e7facc9c04620ad1a4520eb542
SHA17dee15c13bf559bec4c12185455b467780c8064a
SHA25609a2b9dca3dacfbc16b5b0aecced481b302aab5f47b7329042ccf42804085c21
SHA512cd7aceedf76520c55601c294912681a19a00f1f442e7e14686d6b2f842f0b3c19bc98087c06668dcd2a8d8ce44c6a3d0918aa3c0fcdaf5d088022089db8a8879
-
MD5
8136c6e7facc9c04620ad1a4520eb542
SHA17dee15c13bf559bec4c12185455b467780c8064a
SHA25609a2b9dca3dacfbc16b5b0aecced481b302aab5f47b7329042ccf42804085c21
SHA512cd7aceedf76520c55601c294912681a19a00f1f442e7e14686d6b2f842f0b3c19bc98087c06668dcd2a8d8ce44c6a3d0918aa3c0fcdaf5d088022089db8a8879
-
MD5
8136c6e7facc9c04620ad1a4520eb542
SHA17dee15c13bf559bec4c12185455b467780c8064a
SHA25609a2b9dca3dacfbc16b5b0aecced481b302aab5f47b7329042ccf42804085c21
SHA512cd7aceedf76520c55601c294912681a19a00f1f442e7e14686d6b2f842f0b3c19bc98087c06668dcd2a8d8ce44c6a3d0918aa3c0fcdaf5d088022089db8a8879