Analysis
-
max time kernel
157s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:52
Static task
static1
Behavioral task
behavioral1
Sample
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe
Resource
win10v2004-en-20220112
General
-
Target
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe
-
Size
36KB
-
MD5
755a0ec4ea5d0e197f371946e79c0fa4
-
SHA1
8c1624e8e8b6ac4f89377f221101de904a009b8c
-
SHA256
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5
-
SHA512
9f13eeed8ac5541ca535555fa05ce95cbb494df112f7cfe74a69917474cece18a87d11064119da4cc4ffde34701603e0d1e40e4ba310416a7b3a3c3a0717cd81
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1516 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exepid process 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.execmd.exedescription pid process target process PID 1672 wrote to memory of 1600 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe MediaCenter.exe PID 1672 wrote to memory of 1516 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe cmd.exe PID 1672 wrote to memory of 1516 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe cmd.exe PID 1672 wrote to memory of 1516 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe cmd.exe PID 1672 wrote to memory of 1516 1672 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe cmd.exe PID 1516 wrote to memory of 640 1516 cmd.exe PING.EXE PID 1516 wrote to memory of 640 1516 cmd.exe PING.EXE PID 1516 wrote to memory of 640 1516 cmd.exe PING.EXE PID 1516 wrote to memory of 640 1516 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe"C:\Users\Admin\AppData\Local\Temp\0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0feae96a9b11ae52302e5063f953b115
SHA117c5053899a2c5982c824e9c50c453eef0d71314
SHA25695117319bf9cb96412e087a687bf8cbe95ef54f23218d7941a4251eb5f95779f
SHA51238c264c6f6e6c6a9ad2cccd42e21f6d6292df940cf5e841fb7723aef532cd32e3e7d41d3160d3b2350b3fd4720de6995f0c5760da933c6444beac051cdc38c72
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0feae96a9b11ae52302e5063f953b115
SHA117c5053899a2c5982c824e9c50c453eef0d71314
SHA25695117319bf9cb96412e087a687bf8cbe95ef54f23218d7941a4251eb5f95779f
SHA51238c264c6f6e6c6a9ad2cccd42e21f6d6292df940cf5e841fb7723aef532cd32e3e7d41d3160d3b2350b3fd4720de6995f0c5760da933c6444beac051cdc38c72
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0feae96a9b11ae52302e5063f953b115
SHA117c5053899a2c5982c824e9c50c453eef0d71314
SHA25695117319bf9cb96412e087a687bf8cbe95ef54f23218d7941a4251eb5f95779f
SHA51238c264c6f6e6c6a9ad2cccd42e21f6d6292df940cf5e841fb7723aef532cd32e3e7d41d3160d3b2350b3fd4720de6995f0c5760da933c6444beac051cdc38c72
-
memory/1672-55-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB