Analysis
-
max time kernel
148s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:56
Static task
static1
Behavioral task
behavioral1
Sample
166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe
Resource
win10v2004-en-20220113
General
-
Target
166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe
-
Size
36KB
-
MD5
dbd7e1e079e3a7d474e1e2c7f0881a51
-
SHA1
2335d6a6837ce2a28936d70afcc07757fb5834f2
-
SHA256
166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a
-
SHA512
7ab153f83839d28f5c4123928dbd6b16192abd5a4c907ecf19c92b993c14cc23a33d1c68608380778e32c753a9e15c1503356bf22dee3c06191b5f962065d862
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1644 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exepid process 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.execmd.exedescription pid process target process PID 1588 wrote to memory of 1664 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe MediaCenter.exe PID 1588 wrote to memory of 1644 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe cmd.exe PID 1588 wrote to memory of 1644 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe cmd.exe PID 1588 wrote to memory of 1644 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe cmd.exe PID 1588 wrote to memory of 1644 1588 166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe cmd.exe PID 1644 wrote to memory of 1640 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1640 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1640 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1640 1644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe"C:\Users\Admin\AppData\Local\Temp\166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\166a1b6be385b9d0660b7d70abe5e8db6142420c28b9665178e95bda08de161a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cd6eb5352f49d23169a3f7ee710c1d80
SHA1e15ee4b02111f7725aa58e40f0660cc63fe33e37
SHA256fe7d3ce06887e571f7159b7829e5370dd1b1c11de7c9d743a5ca3a58264ecacb
SHA512e9d92d848e0f2a72ac11d5d6a3aa192ce0b2bf27d5748706ea504cf4e50644cbe1d17eca225374f56f1a8fbb4f5ece6679b6e0fb9edf93d69f1d0588115a2095
-
MD5
cd6eb5352f49d23169a3f7ee710c1d80
SHA1e15ee4b02111f7725aa58e40f0660cc63fe33e37
SHA256fe7d3ce06887e571f7159b7829e5370dd1b1c11de7c9d743a5ca3a58264ecacb
SHA512e9d92d848e0f2a72ac11d5d6a3aa192ce0b2bf27d5748706ea504cf4e50644cbe1d17eca225374f56f1a8fbb4f5ece6679b6e0fb9edf93d69f1d0588115a2095
-
MD5
cd6eb5352f49d23169a3f7ee710c1d80
SHA1e15ee4b02111f7725aa58e40f0660cc63fe33e37
SHA256fe7d3ce06887e571f7159b7829e5370dd1b1c11de7c9d743a5ca3a58264ecacb
SHA512e9d92d848e0f2a72ac11d5d6a3aa192ce0b2bf27d5748706ea504cf4e50644cbe1d17eca225374f56f1a8fbb4f5ece6679b6e0fb9edf93d69f1d0588115a2095