Analysis
-
max time kernel
140s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:47
Static task
static1
Behavioral task
behavioral1
Sample
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe
Resource
win10v2004-en-20220112
General
-
Target
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe
-
Size
60KB
-
MD5
d8af75b722f107ff61b90e3b6f760ab9
-
SHA1
2a0d3b5afa6c8286909810df31b73ada346f3ad5
-
SHA256
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636
-
SHA512
fa75eb68743db7b38c16a8b76843cd75eaebeb8a2a03a7f2459e7d6fe3bcac5bd14b3e2bdcacc41dae3053370896fb30ff2529923add85a23d56612faa6cba8e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 752 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exepid process 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exedescription pid process Token: SeIncBasePriorityPrivilege 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.execmd.exedescription pid process target process PID 1580 wrote to memory of 1620 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe MediaCenter.exe PID 1580 wrote to memory of 1620 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe MediaCenter.exe PID 1580 wrote to memory of 752 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe cmd.exe PID 1580 wrote to memory of 752 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe cmd.exe PID 1580 wrote to memory of 752 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe cmd.exe PID 1580 wrote to memory of 752 1580 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe cmd.exe PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe"C:\Users\Admin\AppData\Local\Temp\16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2d29fed0e087f6fc89ddd0e7f35ef0f9
SHA1c7b68c80090fd0e8f571b594466843fcbda8c7e0
SHA2565a78c6c56ee91c5fa6c4079511828384ab8177eb3e33b02795a5c4bc15345bd6
SHA5129e6aa9497c6aba4b5dcf211aa6463922918b5770e9f41a89028238ec78f9ef565781a9db917caa6ee53b68a6e4318ac91df008d0d1b143da552c95f96ee4520f
-
MD5
2d29fed0e087f6fc89ddd0e7f35ef0f9
SHA1c7b68c80090fd0e8f571b594466843fcbda8c7e0
SHA2565a78c6c56ee91c5fa6c4079511828384ab8177eb3e33b02795a5c4bc15345bd6
SHA5129e6aa9497c6aba4b5dcf211aa6463922918b5770e9f41a89028238ec78f9ef565781a9db917caa6ee53b68a6e4318ac91df008d0d1b143da552c95f96ee4520f
-
MD5
2d29fed0e087f6fc89ddd0e7f35ef0f9
SHA1c7b68c80090fd0e8f571b594466843fcbda8c7e0
SHA2565a78c6c56ee91c5fa6c4079511828384ab8177eb3e33b02795a5c4bc15345bd6
SHA5129e6aa9497c6aba4b5dcf211aa6463922918b5770e9f41a89028238ec78f9ef565781a9db917caa6ee53b68a6e4318ac91df008d0d1b143da552c95f96ee4520f