Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:28
Static task
static1
Behavioral task
behavioral1
Sample
0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe
Resource
win10v2004-en-20220112
General
-
Target
0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe
-
Size
60KB
-
MD5
e7b805e1ce1f5f2b422b9f233314b6a4
-
SHA1
65164d31a370bf781604d2847e01f1769abcd472
-
SHA256
0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0
-
SHA512
20b8970f25248c521d75007c2ec581c5a78aa1de521a4e420491bc3f6467eb054dd7d5a42bf1eb3613f2785e05d7dc5d6ff1d0a3844ba48f28ea705eae2fe18c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 1660 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 276 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1608 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 27 PID 1500 wrote to memory of 1608 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 27 PID 1500 wrote to memory of 1608 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 27 PID 1500 wrote to memory of 1608 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 27 PID 1500 wrote to memory of 1660 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 30 PID 1500 wrote to memory of 1660 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 30 PID 1500 wrote to memory of 1660 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 30 PID 1500 wrote to memory of 1660 1500 0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe 30 PID 1660 wrote to memory of 276 1660 cmd.exe 32 PID 1660 wrote to memory of 276 1660 cmd.exe 32 PID 1660 wrote to memory of 276 1660 cmd.exe 32 PID 1660 wrote to memory of 276 1660 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe"C:\Users\Admin\AppData\Local\Temp\0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0165f42ff01c5dcd0e9bc52f6547c8fe45eb71ff8cfa180f849f0a597ca688e0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:276
-
-