Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:17
Static task
static1
Behavioral task
behavioral1
Sample
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe
Resource
win10v2004-en-20220113
General
-
Target
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe
-
Size
58KB
-
MD5
fcfdc8f1721f7bc4eec116875c5641fb
-
SHA1
bffa64cc0699cfa1c0670e938ca46a4de0bf53f3
-
SHA256
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4
-
SHA512
27fef9e7b247475189613fc2de4f4b51b99ffbfe2bb3774127264d1f5c386cc5e10823998c118471541bfa19a84109730efc4c0ce8056773d325b949edacc7a2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1452 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exepid process 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.execmd.exedescription pid process target process PID 1636 wrote to memory of 1452 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe MediaCenter.exe PID 1636 wrote to memory of 1452 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe MediaCenter.exe PID 1636 wrote to memory of 1452 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe MediaCenter.exe PID 1636 wrote to memory of 1452 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe MediaCenter.exe PID 1636 wrote to memory of 1084 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe cmd.exe PID 1636 wrote to memory of 1084 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe cmd.exe PID 1636 wrote to memory of 1084 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe cmd.exe PID 1636 wrote to memory of 1084 1636 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe cmd.exe PID 1084 wrote to memory of 1788 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1788 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1788 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1788 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe"C:\Users\Admin\AppData\Local\Temp\159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b72fe9e8db0a0486253d8c8357cefb58
SHA1405986e61746312084b63801cbc887b517bf2d46
SHA2567ef3db58b0620aff34e41d4eeac1cd1102c859ad88174d800626a91f52c1a9c9
SHA512fe4575ceeb0e60077d25fcbb9b0e2871619a6419e9ae579cc55ee4db18987aa65ca5fd8867fef4a5f8b6952233bde5ff0b6082638df449d7faeeed53820fb84a
-
MD5
b72fe9e8db0a0486253d8c8357cefb58
SHA1405986e61746312084b63801cbc887b517bf2d46
SHA2567ef3db58b0620aff34e41d4eeac1cd1102c859ad88174d800626a91f52c1a9c9
SHA512fe4575ceeb0e60077d25fcbb9b0e2871619a6419e9ae579cc55ee4db18987aa65ca5fd8867fef4a5f8b6952233bde5ff0b6082638df449d7faeeed53820fb84a
-
MD5
b72fe9e8db0a0486253d8c8357cefb58
SHA1405986e61746312084b63801cbc887b517bf2d46
SHA2567ef3db58b0620aff34e41d4eeac1cd1102c859ad88174d800626a91f52c1a9c9
SHA512fe4575ceeb0e60077d25fcbb9b0e2871619a6419e9ae579cc55ee4db18987aa65ca5fd8867fef4a5f8b6952233bde5ff0b6082638df449d7faeeed53820fb84a