Analysis
-
max time kernel
119s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:52
Static task
static1
Behavioral task
behavioral1
Sample
169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe
Resource
win10v2004-en-20220112
General
-
Target
169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe
-
Size
35KB
-
MD5
26c1c14a0b7de64393eced74911013ae
-
SHA1
81bebe77280dc22c8398f91a05e4a017186fced6
-
SHA256
169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3
-
SHA512
08b084e7f3ead6af1041f86c953070f301cbeb2142ea3c77ef58c30f496f41b8521d31cc1a32ee155dabe501b71a64ee558c4cf8444a7f45645345a43eade6f3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1304 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exepid process 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.execmd.exedescription pid process target process PID 1588 wrote to memory of 1720 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe MediaCenter.exe PID 1588 wrote to memory of 1304 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe cmd.exe PID 1588 wrote to memory of 1304 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe cmd.exe PID 1588 wrote to memory of 1304 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe cmd.exe PID 1588 wrote to memory of 1304 1588 169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe cmd.exe PID 1304 wrote to memory of 1804 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1804 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1804 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1804 1304 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe"C:\Users\Admin\AppData\Local\Temp\169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\169a10bd6899fd2aea35d9f8bbbb9cea5e4615157d6ea19d92dfab9396aac3f3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9e155c04ff256ce16e3bf2da4c52244f
SHA1805330bb9fc896a6514cab19386c45602d7e9581
SHA2563265701fe175644e0272c80bdda6b5c663b410d9679e7bfdb0421204684f51f9
SHA51289517e92ea855b23c391c86313d1c6ea9f6752cab24c8c3f838f3d628daa84444f805eaa7dfef1220ac6a0e684c72e75bfc65e68f0d332aa387aa1a64a0a2f27
-
MD5
9e155c04ff256ce16e3bf2da4c52244f
SHA1805330bb9fc896a6514cab19386c45602d7e9581
SHA2563265701fe175644e0272c80bdda6b5c663b410d9679e7bfdb0421204684f51f9
SHA51289517e92ea855b23c391c86313d1c6ea9f6752cab24c8c3f838f3d628daa84444f805eaa7dfef1220ac6a0e684c72e75bfc65e68f0d332aa387aa1a64a0a2f27
-
MD5
9e155c04ff256ce16e3bf2da4c52244f
SHA1805330bb9fc896a6514cab19386c45602d7e9581
SHA2563265701fe175644e0272c80bdda6b5c663b410d9679e7bfdb0421204684f51f9
SHA51289517e92ea855b23c391c86313d1c6ea9f6752cab24c8c3f838f3d628daa84444f805eaa7dfef1220ac6a0e684c72e75bfc65e68f0d332aa387aa1a64a0a2f27