Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:49
Static task
static1
Behavioral task
behavioral1
Sample
16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe
Resource
win10v2004-en-20220113
General
-
Target
16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe
-
Size
58KB
-
MD5
c3643b06640a0f03fcf41b48d1f6cda8
-
SHA1
8608e04b22992ea35c4a34b1a1ac5740fdcbec9d
-
SHA256
16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98
-
SHA512
31a0ef4810f95e4027e560d8d5482f6e529f8106ea56d3c4e525c66d529cd67354e63538d0eaa9ee7789cf4acd6e430dd0efdfe21d7ac4e1baa177c1e3e6fc02
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1660 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exepid process 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exedescription pid process Token: SeIncBasePriorityPrivilege 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.execmd.exedescription pid process target process PID 1468 wrote to memory of 1660 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe MediaCenter.exe PID 1468 wrote to memory of 1660 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe MediaCenter.exe PID 1468 wrote to memory of 1660 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe MediaCenter.exe PID 1468 wrote to memory of 1660 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe MediaCenter.exe PID 1468 wrote to memory of 1528 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe cmd.exe PID 1468 wrote to memory of 1528 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe cmd.exe PID 1468 wrote to memory of 1528 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe cmd.exe PID 1468 wrote to memory of 1528 1468 16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe cmd.exe PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 980 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe"C:\Users\Admin\AppData\Local\Temp\16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16b5a2a31a643beb7522dbbce8cb5b44482403d4f41c5d111b0d32ee2988eb98.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
43675cfdddfca451fc70f90de0b9e5c6
SHA12767b190ddd2dfac2f16a92a2cb7623b7849e66f
SHA2566d78d0fe9d109df54e1372c368d3ac5313ff2832a085114c41c6546738489af7
SHA5120d775c40d7d0cb6d3516855c43b765482a0acf1e05e734a64d7f3c331f25b80e54b21e3fd17c7311b3dac417afb971e0ecd3f2cef3c9aa436fefaacbd9da0115
-
MD5
43675cfdddfca451fc70f90de0b9e5c6
SHA12767b190ddd2dfac2f16a92a2cb7623b7849e66f
SHA2566d78d0fe9d109df54e1372c368d3ac5313ff2832a085114c41c6546738489af7
SHA5120d775c40d7d0cb6d3516855c43b765482a0acf1e05e734a64d7f3c331f25b80e54b21e3fd17c7311b3dac417afb971e0ecd3f2cef3c9aa436fefaacbd9da0115
-
MD5
43675cfdddfca451fc70f90de0b9e5c6
SHA12767b190ddd2dfac2f16a92a2cb7623b7849e66f
SHA2566d78d0fe9d109df54e1372c368d3ac5313ff2832a085114c41c6546738489af7
SHA5120d775c40d7d0cb6d3516855c43b765482a0acf1e05e734a64d7f3c331f25b80e54b21e3fd17c7311b3dac417afb971e0ecd3f2cef3c9aa436fefaacbd9da0115