Analysis
-
max time kernel
138s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe
Resource
win10v2004-en-20220113
General
-
Target
162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe
-
Size
36KB
-
MD5
88adc3d20c2dea06fc48f04e1484efb1
-
SHA1
49dfdbde08664940247fc8e8d56657cfe5dcfc4a
-
SHA256
162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82
-
SHA512
b6c1d94ed9467be7d90ebc518fb37dd1b99dbbb3a03c28e9e43382bea99e193513b599a639cf8e1b236259c67e564ed679c93ef1d27b6c30056bc65e9fe71717
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1784 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exepid process 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exedescription pid process Token: SeIncBasePriorityPrivilege 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.execmd.exedescription pid process target process PID 1556 wrote to memory of 1784 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe MediaCenter.exe PID 1556 wrote to memory of 1784 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe MediaCenter.exe PID 1556 wrote to memory of 1784 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe MediaCenter.exe PID 1556 wrote to memory of 1784 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe MediaCenter.exe PID 1556 wrote to memory of 2024 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe cmd.exe PID 1556 wrote to memory of 2024 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe cmd.exe PID 1556 wrote to memory of 2024 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe cmd.exe PID 1556 wrote to memory of 2024 1556 162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe cmd.exe PID 2024 wrote to memory of 1780 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1780 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1780 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1780 2024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe"C:\Users\Admin\AppData\Local\Temp\162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\162eaf4fa6dae9ea48a6be0d2fd7e1ccbbe3edd9c094bf6e23df72d3e1a6df82.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
87f9f75545d1102f5b5d9114966e1478
SHA1019f4506e9b876292248d32e047e3d425ce458b5
SHA2563728fa3479e530557b8d9746001fd840e43b7b6eec7b20a78c7b298e6f845dfa
SHA512791b9ff01d8d14e173de0008006d42556010a8ecfbb860b5b79a0784bc8a017d3afdf2e1b68e383c384c6782ff9f1b92145b24dc21591ddb8f05f46bb9474599
-
MD5
87f9f75545d1102f5b5d9114966e1478
SHA1019f4506e9b876292248d32e047e3d425ce458b5
SHA2563728fa3479e530557b8d9746001fd840e43b7b6eec7b20a78c7b298e6f845dfa
SHA512791b9ff01d8d14e173de0008006d42556010a8ecfbb860b5b79a0784bc8a017d3afdf2e1b68e383c384c6782ff9f1b92145b24dc21591ddb8f05f46bb9474599
-
MD5
87f9f75545d1102f5b5d9114966e1478
SHA1019f4506e9b876292248d32e047e3d425ce458b5
SHA2563728fa3479e530557b8d9746001fd840e43b7b6eec7b20a78c7b298e6f845dfa
SHA512791b9ff01d8d14e173de0008006d42556010a8ecfbb860b5b79a0784bc8a017d3afdf2e1b68e383c384c6782ff9f1b92145b24dc21591ddb8f05f46bb9474599