Analysis
-
max time kernel
134s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:04
Static task
static1
Behavioral task
behavioral1
Sample
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe
Resource
win10v2004-en-20220112
General
-
Target
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe
-
Size
35KB
-
MD5
754df238e8899bf1902e0d46af034c69
-
SHA1
5f3268b478c885d5c3eaa5d2246c9a2e02b1c576
-
SHA256
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e
-
SHA512
6fde867c33edf90c5d1178d19dd8004f2239f81ff49062daeb3816ef72ea0f03e12bcb116390f162b5a693e72c20b5d036c41f36d76b01659b0463ad2ccc5cce
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1304 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exepid process 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exedescription pid process Token: SeIncBasePriorityPrivilege 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.execmd.exedescription pid process target process PID 964 wrote to memory of 1304 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe MediaCenter.exe PID 964 wrote to memory of 1304 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe MediaCenter.exe PID 964 wrote to memory of 1304 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe MediaCenter.exe PID 964 wrote to memory of 1304 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe MediaCenter.exe PID 964 wrote to memory of 812 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe cmd.exe PID 964 wrote to memory of 812 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe cmd.exe PID 964 wrote to memory of 812 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe cmd.exe PID 964 wrote to memory of 812 964 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe cmd.exe PID 812 wrote to memory of 1864 812 cmd.exe PING.EXE PID 812 wrote to memory of 1864 812 cmd.exe PING.EXE PID 812 wrote to memory of 1864 812 cmd.exe PING.EXE PID 812 wrote to memory of 1864 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe"C:\Users\Admin\AppData\Local\Temp\161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1864
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ae8cd8ff7bcec220421cea1c8445707d
SHA185c3e1f45c88bbd44c489a23d341e4949c5c0a87
SHA2567c8d2fe9d21009fc40d997a5b4819e33240385e70849e03d016b0a549ab17d9e
SHA512aa0d0b9b764600b77219636a7911dab31e459ea68253ba9165a1de66fe384a2ad1eec50af52661043954d94d6aedb0f47a8de4dee09e8011440bad684925c442
-
MD5
ae8cd8ff7bcec220421cea1c8445707d
SHA185c3e1f45c88bbd44c489a23d341e4949c5c0a87
SHA2567c8d2fe9d21009fc40d997a5b4819e33240385e70849e03d016b0a549ab17d9e
SHA512aa0d0b9b764600b77219636a7911dab31e459ea68253ba9165a1de66fe384a2ad1eec50af52661043954d94d6aedb0f47a8de4dee09e8011440bad684925c442
-
MD5
ae8cd8ff7bcec220421cea1c8445707d
SHA185c3e1f45c88bbd44c489a23d341e4949c5c0a87
SHA2567c8d2fe9d21009fc40d997a5b4819e33240385e70849e03d016b0a549ab17d9e
SHA512aa0d0b9b764600b77219636a7911dab31e459ea68253ba9165a1de66fe384a2ad1eec50af52661043954d94d6aedb0f47a8de4dee09e8011440bad684925c442