Analysis
-
max time kernel
120s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe
Resource
win10v2004-en-20220113
General
-
Target
157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe
-
Size
36KB
-
MD5
58dba58c9e40ed81aacc634594b2af34
-
SHA1
b6c674a0cffd865906ae32106632fe9440aa7320
-
SHA256
157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d
-
SHA512
04aa74e2246852b313c4f6f9bedf39faa39251f8f1062b4ed2ed4719afa4f7d31b66ae926271587ac0ccb1d634bd22bd373ec1edd50554d637a768c5497e3ea5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exepid process 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exedescription pid process Token: SeIncBasePriorityPrivilege 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.execmd.exedescription pid process target process PID 1176 wrote to memory of 524 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe MediaCenter.exe PID 1176 wrote to memory of 524 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe MediaCenter.exe PID 1176 wrote to memory of 524 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe MediaCenter.exe PID 1176 wrote to memory of 524 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe MediaCenter.exe PID 1176 wrote to memory of 820 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe cmd.exe PID 1176 wrote to memory of 820 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe cmd.exe PID 1176 wrote to memory of 820 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe cmd.exe PID 1176 wrote to memory of 820 1176 157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe cmd.exe PID 820 wrote to memory of 1824 820 cmd.exe PING.EXE PID 820 wrote to memory of 1824 820 cmd.exe PING.EXE PID 820 wrote to memory of 1824 820 cmd.exe PING.EXE PID 820 wrote to memory of 1824 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe"C:\Users\Admin\AppData\Local\Temp\157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\157c17a04a88e20ad79ca9433e420533e587cee1abf21ccf3efd6b340899481d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
eaed1da2257dca69bde0bda0a911a456
SHA185ec3e0948536137b8b9c57989ba0d83c8591955
SHA256f15320085cf2155711c86f67b709ceb07f62138f38597f44c06c1b01c8327e5d
SHA51219349d6563224ee68ffebf85a16e9a3045cbda344008516bb65990f4b6e5430f3943c4bc7686ca34c8fd83be73338c220380d37f803de18de2dfb99a2af3652d
-
MD5
eaed1da2257dca69bde0bda0a911a456
SHA185ec3e0948536137b8b9c57989ba0d83c8591955
SHA256f15320085cf2155711c86f67b709ceb07f62138f38597f44c06c1b01c8327e5d
SHA51219349d6563224ee68ffebf85a16e9a3045cbda344008516bb65990f4b6e5430f3943c4bc7686ca34c8fd83be73338c220380d37f803de18de2dfb99a2af3652d
-
MD5
eaed1da2257dca69bde0bda0a911a456
SHA185ec3e0948536137b8b9c57989ba0d83c8591955
SHA256f15320085cf2155711c86f67b709ceb07f62138f38597f44c06c1b01c8327e5d
SHA51219349d6563224ee68ffebf85a16e9a3045cbda344008516bb65990f4b6e5430f3943c4bc7686ca34c8fd83be73338c220380d37f803de18de2dfb99a2af3652d