Analysis
-
max time kernel
146s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:06
Static task
static1
Behavioral task
behavioral1
Sample
160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe
Resource
win10v2004-en-20220113
General
-
Target
160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe
-
Size
60KB
-
MD5
1a8a652b0ca829f9cbbde5df1d3c4bba
-
SHA1
f6bf01e5665d30b20e4dd6908033cb33e5e935d8
-
SHA256
160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee
-
SHA512
6d8c3208ef12d75cdfb29cd1b136225ac301391682af8a1359fe44df62ee9acd5ed55ce0118439346e7748e6404111e9036cba8066a171778c9a0d1674e05212
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exepid process 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.execmd.exedescription pid process target process PID 1624 wrote to memory of 1548 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe MediaCenter.exe PID 1624 wrote to memory of 1212 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe cmd.exe PID 1624 wrote to memory of 1212 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe cmd.exe PID 1624 wrote to memory of 1212 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe cmd.exe PID 1624 wrote to memory of 1212 1624 160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe cmd.exe PID 1212 wrote to memory of 1896 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1896 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1896 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1896 1212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe"C:\Users\Admin\AppData\Local\Temp\160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\160ecbf7ca227519b3fb2b32e52ff641d1e96c84ea6b08db3d470b13180b50ee.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8032c68f96f3355919bd3650c5e77a85
SHA1052abe39343772f19ea52c22c04200df1dfa8a8c
SHA25689d2c7fbbcc66895dea8e78e5e981da46576458970fecd0f3d93e13af2ef1722
SHA5127da3f2f429dc484d880c78d6aa267f5af4e658f1b5658501c0067d30fcdc401683dcb18817231570f2c2fc791d8b01e24fb3288b5f72b34acd190d4e61fb9e97
-
MD5
8032c68f96f3355919bd3650c5e77a85
SHA1052abe39343772f19ea52c22c04200df1dfa8a8c
SHA25689d2c7fbbcc66895dea8e78e5e981da46576458970fecd0f3d93e13af2ef1722
SHA5127da3f2f429dc484d880c78d6aa267f5af4e658f1b5658501c0067d30fcdc401683dcb18817231570f2c2fc791d8b01e24fb3288b5f72b34acd190d4e61fb9e97
-
MD5
8032c68f96f3355919bd3650c5e77a85
SHA1052abe39343772f19ea52c22c04200df1dfa8a8c
SHA25689d2c7fbbcc66895dea8e78e5e981da46576458970fecd0f3d93e13af2ef1722
SHA5127da3f2f429dc484d880c78d6aa267f5af4e658f1b5658501c0067d30fcdc401683dcb18817231570f2c2fc791d8b01e24fb3288b5f72b34acd190d4e61fb9e97