Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:55
Static task
static1
Behavioral task
behavioral1
Sample
167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe
Resource
win10v2004-en-20220112
General
-
Target
167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe
-
Size
58KB
-
MD5
cf88f94bef0601dca7c03b32de2d673c
-
SHA1
65f21184516fa4693fb9d2076e30abeeff0ce414
-
SHA256
167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237
-
SHA512
8a6b7b05cd0c3b86de2fb1733959c099160b13664992883c23e6641669411d31a2d2b9979c3f07227e36f60922c4c5d6e0def577eac65819d0d9b7134e29e99b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exepid process 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exedescription pid process Token: SeIncBasePriorityPrivilege 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe MediaCenter.exe PID 956 wrote to memory of 516 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe MediaCenter.exe PID 956 wrote to memory of 516 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe MediaCenter.exe PID 956 wrote to memory of 516 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe MediaCenter.exe PID 956 wrote to memory of 812 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe cmd.exe PID 956 wrote to memory of 812 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe cmd.exe PID 956 wrote to memory of 812 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe cmd.exe PID 956 wrote to memory of 812 956 167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe cmd.exe PID 812 wrote to memory of 1792 812 cmd.exe PING.EXE PID 812 wrote to memory of 1792 812 cmd.exe PING.EXE PID 812 wrote to memory of 1792 812 cmd.exe PING.EXE PID 812 wrote to memory of 1792 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe"C:\Users\Admin\AppData\Local\Temp\167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\167bf87867667400442f3a8eb4c0332a9f02db46f539678b7b9a347fa94ba237.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
425e98fd36651957c70c3e319b37311a
SHA10e3fd8faf191305217e78f466fb730e7c6c9784e
SHA256d3fdcb2fcd530ad4c8ce4e39d51b476f4878ba037ee77c9246968313453e0671
SHA512fd1192603ff6e7471381afb7bd978123bcd8c77d915cba7a1ae6ae538c77f0d0375f39a11146c73e2704dee33d0c9649d817ff80000cfdbf3310591d3570341d
-
MD5
425e98fd36651957c70c3e319b37311a
SHA10e3fd8faf191305217e78f466fb730e7c6c9784e
SHA256d3fdcb2fcd530ad4c8ce4e39d51b476f4878ba037ee77c9246968313453e0671
SHA512fd1192603ff6e7471381afb7bd978123bcd8c77d915cba7a1ae6ae538c77f0d0375f39a11146c73e2704dee33d0c9649d817ff80000cfdbf3310591d3570341d
-
MD5
425e98fd36651957c70c3e319b37311a
SHA10e3fd8faf191305217e78f466fb730e7c6c9784e
SHA256d3fdcb2fcd530ad4c8ce4e39d51b476f4878ba037ee77c9246968313453e0671
SHA512fd1192603ff6e7471381afb7bd978123bcd8c77d915cba7a1ae6ae538c77f0d0375f39a11146c73e2704dee33d0c9649d817ff80000cfdbf3310591d3570341d