Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe
Resource
win10v2004-en-20220113
General
-
Target
16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe
-
Size
58KB
-
MD5
3889e39c5d3f77777afc335a1eb77132
-
SHA1
930c72f978b28afb47564fbe51ba7934d92bf227
-
SHA256
16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf
-
SHA512
41a212d44ee003d4d08bd35950055983206a2ace5024748c62d4b2969c90abc68ded349a3c2e7a1f0ea49323de7ee18a098bd2af15cb53d2fdd5d1926a43d76d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1468 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exepid process 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.execmd.exedescription pid process target process PID 1668 wrote to memory of 1468 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe MediaCenter.exe PID 1668 wrote to memory of 1468 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe MediaCenter.exe PID 1668 wrote to memory of 1468 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe MediaCenter.exe PID 1668 wrote to memory of 1468 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe MediaCenter.exe PID 1668 wrote to memory of 1032 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe cmd.exe PID 1668 wrote to memory of 1032 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe cmd.exe PID 1668 wrote to memory of 1032 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe cmd.exe PID 1668 wrote to memory of 1032 1668 16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe cmd.exe PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe"C:\Users\Admin\AppData\Local\Temp\16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16a97275ecd764398019c2f1e53b251f9669327c888d8a95fb576e84dda7cdbf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
763b84c95a1e7056f198846bb7c25c38
SHA1d548c2d4de6f4644aa6c33589c32960c50241d9d
SHA256af950b35e489199e20ec58832a3c9497878ba73716e3a2374b4e0c68967014de
SHA51233cf512ecd3eb08b30a4bb0391286f48e572f08c9c98c86012cbc6f74bf2979985267d2b48c89e2e795fe6ae806e857dfdbf1dc04d976a61e23a22cd2b3d20fe
-
MD5
763b84c95a1e7056f198846bb7c25c38
SHA1d548c2d4de6f4644aa6c33589c32960c50241d9d
SHA256af950b35e489199e20ec58832a3c9497878ba73716e3a2374b4e0c68967014de
SHA51233cf512ecd3eb08b30a4bb0391286f48e572f08c9c98c86012cbc6f74bf2979985267d2b48c89e2e795fe6ae806e857dfdbf1dc04d976a61e23a22cd2b3d20fe
-
MD5
763b84c95a1e7056f198846bb7c25c38
SHA1d548c2d4de6f4644aa6c33589c32960c50241d9d
SHA256af950b35e489199e20ec58832a3c9497878ba73716e3a2374b4e0c68967014de
SHA51233cf512ecd3eb08b30a4bb0391286f48e572f08c9c98c86012cbc6f74bf2979985267d2b48c89e2e795fe6ae806e857dfdbf1dc04d976a61e23a22cd2b3d20fe