Analysis
-
max time kernel
125s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:56
Static task
static1
Behavioral task
behavioral1
Sample
166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe
Resource
win10v2004-en-20220112
General
-
Target
166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe
-
Size
60KB
-
MD5
68d084653c357bb4d3028f594da2b0fa
-
SHA1
2b491b4ee133e8ae4936950a31301f24d3e26398
-
SHA256
166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b
-
SHA512
e46d17049543bbd24b80368952671a75cef4d4d95847ae31ad61375cc9c3ccfa8e2ff1d8c2b054be72c7192c7e81c62c0d08f64317f00abd6953c96f9d4ceef9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1312 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1080 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exepid process 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.execmd.exedescription pid process target process PID 1632 wrote to memory of 1312 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe MediaCenter.exe PID 1632 wrote to memory of 1312 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe MediaCenter.exe PID 1632 wrote to memory of 1312 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe MediaCenter.exe PID 1632 wrote to memory of 1312 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe MediaCenter.exe PID 1632 wrote to memory of 1080 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe cmd.exe PID 1632 wrote to memory of 1080 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe cmd.exe PID 1632 wrote to memory of 1080 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe cmd.exe PID 1632 wrote to memory of 1080 1632 166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe cmd.exe PID 1080 wrote to memory of 1040 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1040 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1040 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1040 1080 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe"C:\Users\Admin\AppData\Local\Temp\166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\166e7d8daf8c94462f2b37436ce7dd9e4cdc389097b2b800f33c450f2a87288b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6f43f876dfaa7c1ddc5ae47920834a40
SHA17016a87813a42dcdfad84d766158ac182e49578c
SHA256727455f758ea5f511fa087c9817e64922c724050ee03c8419c6cc4dd58627de0
SHA512660378df8da59b5e48e309fbae0564b985ea761cc0c62fe7be8252654cc51ca05076585404cf2fe00799a4f5b44b288424433e3de91ef0c01af568a8966a8e83
-
MD5
6f43f876dfaa7c1ddc5ae47920834a40
SHA17016a87813a42dcdfad84d766158ac182e49578c
SHA256727455f758ea5f511fa087c9817e64922c724050ee03c8419c6cc4dd58627de0
SHA512660378df8da59b5e48e309fbae0564b985ea761cc0c62fe7be8252654cc51ca05076585404cf2fe00799a4f5b44b288424433e3de91ef0c01af568a8966a8e83
-
MD5
6f43f876dfaa7c1ddc5ae47920834a40
SHA17016a87813a42dcdfad84d766158ac182e49578c
SHA256727455f758ea5f511fa087c9817e64922c724050ee03c8419c6cc4dd58627de0
SHA512660378df8da59b5e48e309fbae0564b985ea761cc0c62fe7be8252654cc51ca05076585404cf2fe00799a4f5b44b288424433e3de91ef0c01af568a8966a8e83