Analysis
-
max time kernel
151s -
max time network
185s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:44
Static task
static1
Behavioral task
behavioral1
Sample
16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe
Resource
win10v2004-en-20220112
General
-
Target
16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe
-
Size
60KB
-
MD5
52e295ad59446badbf6e446255ea2d6c
-
SHA1
6723d0d12393c0e27227c5c3c52a89692cf1ced0
-
SHA256
16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c
-
SHA512
7c00ccfb304d397736c415b562f693a79993794ca83096e8059da7948a2e753bdbed68fe82ebb43956001cd6cbb3a013c93e5f19956ba7756b18bb738f5b086e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1252 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exepid process 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exedescription pid process Token: SeIncBasePriorityPrivilege 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.execmd.exedescription pid process target process PID 956 wrote to memory of 1648 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe MediaCenter.exe PID 956 wrote to memory of 1648 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe MediaCenter.exe PID 956 wrote to memory of 1648 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe MediaCenter.exe PID 956 wrote to memory of 1648 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe MediaCenter.exe PID 956 wrote to memory of 1252 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe cmd.exe PID 956 wrote to memory of 1252 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe cmd.exe PID 956 wrote to memory of 1252 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe cmd.exe PID 956 wrote to memory of 1252 956 16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe cmd.exe PID 1252 wrote to memory of 1500 1252 cmd.exe PING.EXE PID 1252 wrote to memory of 1500 1252 cmd.exe PING.EXE PID 1252 wrote to memory of 1500 1252 cmd.exe PING.EXE PID 1252 wrote to memory of 1500 1252 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe"C:\Users\Admin\AppData\Local\Temp\16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16e6ebfa4650c6d1b7d8ca40830d3647b75473bbc53b221f9b98e3479d016b4c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b4e193396dcff34d756401729fe25d5c
SHA1cb6cd33dd5b293e64782d7a04dec02e4cfbabe68
SHA256f6246682553ed45f0dc233c3847f1db69ea239cac007c6d409a2b12f9a4d1dc9
SHA5124880ee96ce1d3e370f7ee00eb4eb66702c2587fa1f170e5218ac481ac3b1abd86c7cdb1c9aeafbde2f2d3a9d387d25242b4609f1a0790503fa33e97dd3556ad5
-
MD5
b4e193396dcff34d756401729fe25d5c
SHA1cb6cd33dd5b293e64782d7a04dec02e4cfbabe68
SHA256f6246682553ed45f0dc233c3847f1db69ea239cac007c6d409a2b12f9a4d1dc9
SHA5124880ee96ce1d3e370f7ee00eb4eb66702c2587fa1f170e5218ac481ac3b1abd86c7cdb1c9aeafbde2f2d3a9d387d25242b4609f1a0790503fa33e97dd3556ad5
-
MD5
b4e193396dcff34d756401729fe25d5c
SHA1cb6cd33dd5b293e64782d7a04dec02e4cfbabe68
SHA256f6246682553ed45f0dc233c3847f1db69ea239cac007c6d409a2b12f9a4d1dc9
SHA5124880ee96ce1d3e370f7ee00eb4eb66702c2587fa1f170e5218ac481ac3b1abd86c7cdb1c9aeafbde2f2d3a9d387d25242b4609f1a0790503fa33e97dd3556ad5