Analysis
-
max time kernel
123s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe
Resource
win10v2004-en-20220113
General
-
Target
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe
-
Size
36KB
-
MD5
23119c66a8630a47b3056d58de65af9e
-
SHA1
86ba539a5ebe214e4599075209960bd6414145c6
-
SHA256
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4
-
SHA512
72732e8a9344081e9e27f45145535d67a3a5abefe7ac3dfa156f1cf07cf33a00ebbcf5afed32398aeaddcbc34aba04e9deaac9b71a7facbed60a32e8f5a1eb57
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 972 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exepid process 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exedescription pid process Token: SeIncBasePriorityPrivilege 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.execmd.exedescription pid process target process PID 1388 wrote to memory of 972 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe MediaCenter.exe PID 1388 wrote to memory of 972 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe MediaCenter.exe PID 1388 wrote to memory of 972 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe MediaCenter.exe PID 1388 wrote to memory of 972 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe MediaCenter.exe PID 1388 wrote to memory of 396 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe cmd.exe PID 1388 wrote to memory of 396 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe cmd.exe PID 1388 wrote to memory of 396 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe cmd.exe PID 1388 wrote to memory of 396 1388 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe cmd.exe PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe"C:\Users\Admin\AppData\Local\Temp\16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cd6eb5352f49d23169a3f7ee710c1d80
SHA1e15ee4b02111f7725aa58e40f0660cc63fe33e37
SHA256fe7d3ce06887e571f7159b7829e5370dd1b1c11de7c9d743a5ca3a58264ecacb
SHA512e9d92d848e0f2a72ac11d5d6a3aa192ce0b2bf27d5748706ea504cf4e50644cbe1d17eca225374f56f1a8fbb4f5ece6679b6e0fb9edf93d69f1d0588115a2095
-
MD5
cd6eb5352f49d23169a3f7ee710c1d80
SHA1e15ee4b02111f7725aa58e40f0660cc63fe33e37
SHA256fe7d3ce06887e571f7159b7829e5370dd1b1c11de7c9d743a5ca3a58264ecacb
SHA512e9d92d848e0f2a72ac11d5d6a3aa192ce0b2bf27d5748706ea504cf4e50644cbe1d17eca225374f56f1a8fbb4f5ece6679b6e0fb9edf93d69f1d0588115a2095
-
MD5
cd6eb5352f49d23169a3f7ee710c1d80
SHA1e15ee4b02111f7725aa58e40f0660cc63fe33e37
SHA256fe7d3ce06887e571f7159b7829e5370dd1b1c11de7c9d743a5ca3a58264ecacb
SHA512e9d92d848e0f2a72ac11d5d6a3aa192ce0b2bf27d5748706ea504cf4e50644cbe1d17eca225374f56f1a8fbb4f5ece6679b6e0fb9edf93d69f1d0588115a2095