Analysis
-
max time kernel
122s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe
Resource
win10v2004-en-20220112
General
-
Target
157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe
-
Size
36KB
-
MD5
2793b5ca4c3e528c429bf01d1c8a8385
-
SHA1
57ad1d0e6cf88bf98f6cfae327918b791148aacd
-
SHA256
157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005
-
SHA512
7f3e6b0f6de69ebe84c424a6dd8742c52495876f1d39ddf049142ecf9b29085e5385f50052f2ca80a73d6729cb21ad15cb4d4500670c0906677b1ca9ff9509d0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1468 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1020 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exepid process 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exedescription pid process Token: SeIncBasePriorityPrivilege 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.execmd.exedescription pid process target process PID 1296 wrote to memory of 1468 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe MediaCenter.exe PID 1296 wrote to memory of 1468 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe MediaCenter.exe PID 1296 wrote to memory of 1020 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe cmd.exe PID 1296 wrote to memory of 1020 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe cmd.exe PID 1296 wrote to memory of 1020 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe cmd.exe PID 1296 wrote to memory of 1020 1296 157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe cmd.exe PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 844 1020 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe"C:\Users\Admin\AppData\Local\Temp\157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\157d13860ef71812d20155fb3b066405e779cb18c16f91cb65994ac778cfe005.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3d1e2d9672a5469c9cb24dec88bd1f3e
SHA1c85d42f50f70e7781c8bf0499f01d18924d95fd8
SHA25682dd86987e4060f174280e1ce7716643a118f883c0f18b78d8a25d94b8bd7d3b
SHA51260f2eec7a4e21429853324e242afc9552c099b90670fa67d7ac1a32a1e4ffda2e8ac53e5349585e59c7a1ad5cc4d4893feb02a494dbc0e9365203cb0fd5b1407
-
MD5
3d1e2d9672a5469c9cb24dec88bd1f3e
SHA1c85d42f50f70e7781c8bf0499f01d18924d95fd8
SHA25682dd86987e4060f174280e1ce7716643a118f883c0f18b78d8a25d94b8bd7d3b
SHA51260f2eec7a4e21429853324e242afc9552c099b90670fa67d7ac1a32a1e4ffda2e8ac53e5349585e59c7a1ad5cc4d4893feb02a494dbc0e9365203cb0fd5b1407
-
MD5
3d1e2d9672a5469c9cb24dec88bd1f3e
SHA1c85d42f50f70e7781c8bf0499f01d18924d95fd8
SHA25682dd86987e4060f174280e1ce7716643a118f883c0f18b78d8a25d94b8bd7d3b
SHA51260f2eec7a4e21429853324e242afc9552c099b90670fa67d7ac1a32a1e4ffda2e8ac53e5349585e59c7a1ad5cc4d4893feb02a494dbc0e9365203cb0fd5b1407