Analysis
-
max time kernel
140s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:58
Static task
static1
Behavioral task
behavioral1
Sample
165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe
Resource
win10v2004-en-20220112
General
-
Target
165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe
-
Size
60KB
-
MD5
4d823bcfe7e3104fc5ef8bf49339e91f
-
SHA1
d40e112687a026641a318ed876c8bd8950ef8a73
-
SHA256
165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0
-
SHA512
8b635ec2bd85afd28459c0592c3a5d06b79506ab665bd77891a8c5fe2f71f9ccabd75905151704b6cbae078723404f872bb96a93b6a66cb5ed637852b264f553
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1536 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exepid process 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exedescription pid process Token: SeIncBasePriorityPrivilege 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.execmd.exedescription pid process target process PID 900 wrote to memory of 1536 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe MediaCenter.exe PID 900 wrote to memory of 1536 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe MediaCenter.exe PID 900 wrote to memory of 1536 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe MediaCenter.exe PID 900 wrote to memory of 1536 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe MediaCenter.exe PID 900 wrote to memory of 2024 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe cmd.exe PID 900 wrote to memory of 2024 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe cmd.exe PID 900 wrote to memory of 2024 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe cmd.exe PID 900 wrote to memory of 2024 900 165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe cmd.exe PID 2024 wrote to memory of 1164 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1164 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1164 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1164 2024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe"C:\Users\Admin\AppData\Local\Temp\165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\165fea0ba623563dd0c7cd798eae33ba362476b518738d8b2c950348205ee9c0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1fd80066412ee8d454edf301167e36ae
SHA17f383df449ec4b1ff92f96b89c61abfc0138b255
SHA2567a2dc0fedd6c25011c9a293d7878446f8834ec860f701f80fb9209fb0b11eec4
SHA512e5434739d67ca60afb98c9286939da2ee2394c8d17060666d494086e70477fca512ebafede821074b05ffb267ee246c4abe9bdde661de9212710e7b8fcc53bdc
-
MD5
1fd80066412ee8d454edf301167e36ae
SHA17f383df449ec4b1ff92f96b89c61abfc0138b255
SHA2567a2dc0fedd6c25011c9a293d7878446f8834ec860f701f80fb9209fb0b11eec4
SHA512e5434739d67ca60afb98c9286939da2ee2394c8d17060666d494086e70477fca512ebafede821074b05ffb267ee246c4abe9bdde661de9212710e7b8fcc53bdc
-
MD5
1fd80066412ee8d454edf301167e36ae
SHA17f383df449ec4b1ff92f96b89c61abfc0138b255
SHA2567a2dc0fedd6c25011c9a293d7878446f8834ec860f701f80fb9209fb0b11eec4
SHA512e5434739d67ca60afb98c9286939da2ee2394c8d17060666d494086e70477fca512ebafede821074b05ffb267ee246c4abe9bdde661de9212710e7b8fcc53bdc