Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:25
Static task
static1
Behavioral task
behavioral1
Sample
15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe
Resource
win10v2004-en-20220112
General
-
Target
15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe
-
Size
35KB
-
MD5
cf65205399c96c7ac1afc0068e59ae91
-
SHA1
3d9b77d4bc144f49783497f8e493429f2760cb74
-
SHA256
15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb
-
SHA512
26b20289eaed8595ae4154e6f0a3cc7e99eaf831215961671fbed82c8e66083235250655dad01794089822a798eb53746ec4b5b74b03ccebb79c7871e927ea9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1484 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exepid process 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exedescription pid process Token: SeIncBasePriorityPrivilege 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.execmd.exedescription pid process target process PID 1308 wrote to memory of 1892 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe MediaCenter.exe PID 1308 wrote to memory of 1484 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe cmd.exe PID 1308 wrote to memory of 1484 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe cmd.exe PID 1308 wrote to memory of 1484 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe cmd.exe PID 1308 wrote to memory of 1484 1308 15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe cmd.exe PID 1484 wrote to memory of 1800 1484 cmd.exe PING.EXE PID 1484 wrote to memory of 1800 1484 cmd.exe PING.EXE PID 1484 wrote to memory of 1800 1484 cmd.exe PING.EXE PID 1484 wrote to memory of 1800 1484 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe"C:\Users\Admin\AppData\Local\Temp\15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15568acaca4a498de3edaa482ad96d9f0a3bedd8b1c38b3d86359d36e2c042fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6edd10f388871139989be51539e8fa5e
SHA1ce16f2ee997297177423e23e2696a1063c1b1ef9
SHA2563890d1c8a2c5de97eb1237c0bba44f6f0c16eb67245d0ce6fda73f389591c2f3
SHA512a83a92f52791db88d438a9b39ab2a60f7a4c5316b09e4eb0bbde45b734bd86f3e5275fcc9acf316f931ad7ef7192cbfaaadcd5cde74a5bd2c7fad64030451f2b
-
MD5
6edd10f388871139989be51539e8fa5e
SHA1ce16f2ee997297177423e23e2696a1063c1b1ef9
SHA2563890d1c8a2c5de97eb1237c0bba44f6f0c16eb67245d0ce6fda73f389591c2f3
SHA512a83a92f52791db88d438a9b39ab2a60f7a4c5316b09e4eb0bbde45b734bd86f3e5275fcc9acf316f931ad7ef7192cbfaaadcd5cde74a5bd2c7fad64030451f2b
-
MD5
6edd10f388871139989be51539e8fa5e
SHA1ce16f2ee997297177423e23e2696a1063c1b1ef9
SHA2563890d1c8a2c5de97eb1237c0bba44f6f0c16eb67245d0ce6fda73f389591c2f3
SHA512a83a92f52791db88d438a9b39ab2a60f7a4c5316b09e4eb0bbde45b734bd86f3e5275fcc9acf316f931ad7ef7192cbfaaadcd5cde74a5bd2c7fad64030451f2b