Analysis
-
max time kernel
161s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe
Resource
win10v2004-en-20220113
General
-
Target
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe
-
Size
60KB
-
MD5
dadb09cc32fed64845403a722d2fb4de
-
SHA1
3c4dd074d536f579f855130173fdd80f4166822a
-
SHA256
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0
-
SHA512
9e782903afbc1e9e088ef5678b014b1f9326a63b2541a8f3bfe7205cccbe8dbd17beec73dece49949f2b292c588be6cbbf171b7acc72fc9ea1a9286ff8738b27
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 600 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exepid process 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exedescription pid process Token: SeIncBasePriorityPrivilege 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.execmd.exedescription pid process target process PID 976 wrote to memory of 320 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe MediaCenter.exe PID 976 wrote to memory of 320 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe MediaCenter.exe PID 976 wrote to memory of 320 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe MediaCenter.exe PID 976 wrote to memory of 320 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe MediaCenter.exe PID 976 wrote to memory of 600 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe cmd.exe PID 976 wrote to memory of 600 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe cmd.exe PID 976 wrote to memory of 600 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe cmd.exe PID 976 wrote to memory of 600 976 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe cmd.exe PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe"C:\Users\Admin\AppData\Local\Temp\16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4ae3e0beda58159d22d61779809c645c
SHA13abc80cb4a16275fb1e826fb3285d38128a0c7e4
SHA256c474a16bb05b826c206ce8883671605a81d9b8dcdff6fa4c1519f4c9c88f5643
SHA5127bcd558022553223697af3370047a980ea493f337d0bcbb8952b61e7f55eebfeb6d3658fadaa02c6435ce95b4a439e0483902188b29f3580073016f942640a6a
-
MD5
4ae3e0beda58159d22d61779809c645c
SHA13abc80cb4a16275fb1e826fb3285d38128a0c7e4
SHA256c474a16bb05b826c206ce8883671605a81d9b8dcdff6fa4c1519f4c9c88f5643
SHA5127bcd558022553223697af3370047a980ea493f337d0bcbb8952b61e7f55eebfeb6d3658fadaa02c6435ce95b4a439e0483902188b29f3580073016f942640a6a
-
MD5
4ae3e0beda58159d22d61779809c645c
SHA13abc80cb4a16275fb1e826fb3285d38128a0c7e4
SHA256c474a16bb05b826c206ce8883671605a81d9b8dcdff6fa4c1519f4c9c88f5643
SHA5127bcd558022553223697af3370047a980ea493f337d0bcbb8952b61e7f55eebfeb6d3658fadaa02c6435ce95b4a439e0483902188b29f3580073016f942640a6a