Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:46
Static task
static1
Behavioral task
behavioral1
Sample
16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe
Resource
win10v2004-en-20220112
General
-
Target
16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe
-
Size
35KB
-
MD5
eeb27e07cca653898e64c8c13797b4e0
-
SHA1
33ae65c2a7908dea3ef29117d39ba8bb520b2369
-
SHA256
16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd
-
SHA512
f464e71a36b6a1c52c6a02775585698c96d9a34a5041be066e8e210c6b0199c67c33dd8a321ab4b60d0277d0acb35e42c0e044dbed6f28dfe9032b0682cc460a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3592 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exedescription pid process Token: SeIncBasePriorityPrivilege 1604 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.execmd.exedescription pid process target process PID 1604 wrote to memory of 3592 1604 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe MediaCenter.exe PID 1604 wrote to memory of 3592 1604 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe MediaCenter.exe PID 1604 wrote to memory of 3592 1604 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe MediaCenter.exe PID 1604 wrote to memory of 2200 1604 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe cmd.exe PID 1604 wrote to memory of 2200 1604 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe cmd.exe PID 1604 wrote to memory of 2200 1604 16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe cmd.exe PID 2200 wrote to memory of 2608 2200 cmd.exe PING.EXE PID 2200 wrote to memory of 2608 2200 cmd.exe PING.EXE PID 2200 wrote to memory of 2608 2200 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe"C:\Users\Admin\AppData\Local\Temp\16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16d3296571e54a6b076b2cede9f6d5ebc8f4e864a83822b23b0af0600d20d3dd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:2588
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:3280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4a8f8f74e775cbea2c143f5c9479099d
SHA1d276af0b649b8ce3fb69b2090e486e8117ed33f6
SHA2561693947b5b2590b893db2207a196dd1c22636049e0008b15004994aac758437d
SHA512b97c4e4b6fe4cdd051a3cd0e62b478b009f1c1a02384c17349f85742fd310a0b598a1d8ef5e90254b76d6d5cb6787643b8b973c64455cf0004f24f8c5d839f69
-
MD5
4a8f8f74e775cbea2c143f5c9479099d
SHA1d276af0b649b8ce3fb69b2090e486e8117ed33f6
SHA2561693947b5b2590b893db2207a196dd1c22636049e0008b15004994aac758437d
SHA512b97c4e4b6fe4cdd051a3cd0e62b478b009f1c1a02384c17349f85742fd310a0b598a1d8ef5e90254b76d6d5cb6787643b8b973c64455cf0004f24f8c5d839f69