Analysis
-
max time kernel
162s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe
Resource
win10v2004-en-20220113
General
-
Target
162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe
-
Size
58KB
-
MD5
4f86e268674e21048afeb08f8b69b8e6
-
SHA1
edb5c731b80f8b0641c2af8aaf944409cb0c9e31
-
SHA256
162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d
-
SHA512
90cfd8d9b065fd3073909bbe1cb3d44cd729150e083c131aa7edf8c78401df670fc9a3dc11b4d30bf458daff2c0999568b9a29633bbb34eb37f7aad64803313c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1604 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1684 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exepid process 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exedescription pid process Token: SeIncBasePriorityPrivilege 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.execmd.exedescription pid process target process PID 964 wrote to memory of 1604 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe MediaCenter.exe PID 964 wrote to memory of 1604 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe MediaCenter.exe PID 964 wrote to memory of 1604 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe MediaCenter.exe PID 964 wrote to memory of 1604 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe MediaCenter.exe PID 964 wrote to memory of 1684 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe cmd.exe PID 964 wrote to memory of 1684 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe cmd.exe PID 964 wrote to memory of 1684 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe cmd.exe PID 964 wrote to memory of 1684 964 162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe cmd.exe PID 1684 wrote to memory of 1088 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1088 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1088 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1088 1684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe"C:\Users\Admin\AppData\Local\Temp\162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\162b75a3e1ae870aa0372e352a0559251d55bfdc634aaf19bee578bba5a3a45d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ef7d5764192cdc597e7d59432551b54c
SHA10fb4c5ff29fd300a0277936336ad5eab12bfd66a
SHA256cf8c121a0c163275a236bd6b37b6b74cdb1828c337efa5ba8210500fab3e9480
SHA5127cfe56bf28107b72457bc7ae32c968366920f25b45caa728d05e13925e263f3f3041c670f2f8b4891edae5e48e7268e948cfa3ce81c2e5b45d97a3d383c61263
-
MD5
ef7d5764192cdc597e7d59432551b54c
SHA10fb4c5ff29fd300a0277936336ad5eab12bfd66a
SHA256cf8c121a0c163275a236bd6b37b6b74cdb1828c337efa5ba8210500fab3e9480
SHA5127cfe56bf28107b72457bc7ae32c968366920f25b45caa728d05e13925e263f3f3041c670f2f8b4891edae5e48e7268e948cfa3ce81c2e5b45d97a3d383c61263
-
MD5
ef7d5764192cdc597e7d59432551b54c
SHA10fb4c5ff29fd300a0277936336ad5eab12bfd66a
SHA256cf8c121a0c163275a236bd6b37b6b74cdb1828c337efa5ba8210500fab3e9480
SHA5127cfe56bf28107b72457bc7ae32c968366920f25b45caa728d05e13925e263f3f3041c670f2f8b4891edae5e48e7268e948cfa3ce81c2e5b45d97a3d383c61263