Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:06
Static task
static1
Behavioral task
behavioral1
Sample
160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe
Resource
win10v2004-en-20220113
General
-
Target
160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe
-
Size
35KB
-
MD5
489b7be0f9014e64a4af451fd16a2356
-
SHA1
c3569eefb95ca8588231e41194947c2c274365d6
-
SHA256
160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c
-
SHA512
a777b67b9e3385a8ab0e32863f9ac3d22dda57cb7711e387014ab12b27fdfd80f70ec145e1501937d51a14c5a6487ba7034333f7067cffcd6efd992abcdf4c85
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1116 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exepid process 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exedescription pid process Token: SeIncBasePriorityPrivilege 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.execmd.exedescription pid process target process PID 808 wrote to memory of 524 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe MediaCenter.exe PID 808 wrote to memory of 524 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe MediaCenter.exe PID 808 wrote to memory of 524 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe MediaCenter.exe PID 808 wrote to memory of 524 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe MediaCenter.exe PID 808 wrote to memory of 1116 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe cmd.exe PID 808 wrote to memory of 1116 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe cmd.exe PID 808 wrote to memory of 1116 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe cmd.exe PID 808 wrote to memory of 1116 808 160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe cmd.exe PID 1116 wrote to memory of 1184 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1184 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1184 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1184 1116 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe"C:\Users\Admin\AppData\Local\Temp\160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\160c02430cf7675b77bbe0b28bf01e2450b56bc2c3b31bfeb84cb340e23a894c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2ecccd901ec2eff08114d0cc91bd0e86
SHA113887e722d59ecda73721d86dc715970300e827b
SHA2565b21865be62b9f156be6162c1ff9c11320fd5b6b28105714045d67dd8d0b9e97
SHA51298366b3e8c102b31662169b4d5e2c4bbd8562af7a95121594cba83c2c5a5ec3ac906302c96b4b794807f2f1dccb588a5b8abdba35663a9df5319deaddd7ccea1
-
MD5
2ecccd901ec2eff08114d0cc91bd0e86
SHA113887e722d59ecda73721d86dc715970300e827b
SHA2565b21865be62b9f156be6162c1ff9c11320fd5b6b28105714045d67dd8d0b9e97
SHA51298366b3e8c102b31662169b4d5e2c4bbd8562af7a95121594cba83c2c5a5ec3ac906302c96b4b794807f2f1dccb588a5b8abdba35663a9df5319deaddd7ccea1
-
MD5
2ecccd901ec2eff08114d0cc91bd0e86
SHA113887e722d59ecda73721d86dc715970300e827b
SHA2565b21865be62b9f156be6162c1ff9c11320fd5b6b28105714045d67dd8d0b9e97
SHA51298366b3e8c102b31662169b4d5e2c4bbd8562af7a95121594cba83c2c5a5ec3ac906302c96b4b794807f2f1dccb588a5b8abdba35663a9df5319deaddd7ccea1