Analysis
-
max time kernel
129s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:47
Static task
static1
Behavioral task
behavioral1
Sample
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe
Resource
win10v2004-en-20220113
General
-
Target
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe
-
Size
36KB
-
MD5
81a0c5ea1290721902d384cb762d6e89
-
SHA1
0afeb8bf3ed44cd45015fc712f196ea82a484d05
-
SHA256
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578
-
SHA512
0b6fa8b1a1f265b9b7bbb8f7f1054d4f131beec3b33fdafad2a029988f89fd3f6b5e0c0c47fbe962bcabf14d1f88326cac9ce0e6cc825f9cf735d61ab49d38f3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1292 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1832 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exepid process 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.execmd.exedescription pid process target process PID 1672 wrote to memory of 1292 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe MediaCenter.exe PID 1672 wrote to memory of 1292 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe MediaCenter.exe PID 1672 wrote to memory of 1292 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe MediaCenter.exe PID 1672 wrote to memory of 1292 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe MediaCenter.exe PID 1672 wrote to memory of 1832 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe cmd.exe PID 1672 wrote to memory of 1832 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe cmd.exe PID 1672 wrote to memory of 1832 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe cmd.exe PID 1672 wrote to memory of 1832 1672 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe cmd.exe PID 1832 wrote to memory of 916 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 916 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 916 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 916 1832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe"C:\Users\Admin\AppData\Local\Temp\16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5bdb59d8a30195cee68e8c8249e75c55
SHA1a2bd4d99170b3fa8649664fcb226fec37d76ba34
SHA2563051ad1575b292f9cd2452e73903f054aa1105df883cc54dcec18f67e0f74aa9
SHA51230330bf4d3fb27fe7b71ea35da8bd2a147f38b5a4bab35871fb9f2808185f8b5ac939d41499f09c28de2556fb93c691f1e1700395fee2b5a1c6d1aa5f0485f58
-
MD5
5bdb59d8a30195cee68e8c8249e75c55
SHA1a2bd4d99170b3fa8649664fcb226fec37d76ba34
SHA2563051ad1575b292f9cd2452e73903f054aa1105df883cc54dcec18f67e0f74aa9
SHA51230330bf4d3fb27fe7b71ea35da8bd2a147f38b5a4bab35871fb9f2808185f8b5ac939d41499f09c28de2556fb93c691f1e1700395fee2b5a1c6d1aa5f0485f58
-
MD5
5bdb59d8a30195cee68e8c8249e75c55
SHA1a2bd4d99170b3fa8649664fcb226fec37d76ba34
SHA2563051ad1575b292f9cd2452e73903f054aa1105df883cc54dcec18f67e0f74aa9
SHA51230330bf4d3fb27fe7b71ea35da8bd2a147f38b5a4bab35871fb9f2808185f8b5ac939d41499f09c28de2556fb93c691f1e1700395fee2b5a1c6d1aa5f0485f58