Analysis
-
max time kernel
119s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe
Resource
win10v2004-en-20220112
General
-
Target
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe
-
Size
58KB
-
MD5
d0924fccc9d672b68dfced05e98d367e
-
SHA1
95bf3ce4937ca2c5b90f6aba9e0f135b46d00b38
-
SHA256
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57
-
SHA512
6b9911f1c6916c179d72a03e9053a81f29a9a01bbf629047a97092e97f7f0546fcb8e0a482e60a6da698debd82c2c0a384e38f196a8e7f46c65f0c60838b93e6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1876 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 968 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exepid process 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.execmd.exedescription pid process target process PID 1704 wrote to memory of 1876 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe MediaCenter.exe PID 1704 wrote to memory of 1876 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe MediaCenter.exe PID 1704 wrote to memory of 1876 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe MediaCenter.exe PID 1704 wrote to memory of 1876 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe MediaCenter.exe PID 1704 wrote to memory of 968 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe cmd.exe PID 1704 wrote to memory of 968 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe cmd.exe PID 1704 wrote to memory of 968 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe cmd.exe PID 1704 wrote to memory of 968 1704 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe cmd.exe PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe"C:\Users\Admin\AppData\Local\Temp\154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
413e650430e3a30842e9adca71f9948e
SHA17223ce07be019c2f6ce934acc5eb4d403f33bbea
SHA2566810c62a49fb8ebc1ed7c2bfeeccf38023e63c053235c8b0f8e6b2ea053c8ff3
SHA5123927c90b6afff59f88e332bed2644359405b042aa5b889be00bced16fa26c156321fc1ed64fce5a8b0698bc8f66b53e151d82452cc7e1cb05d6139f9fdae7c0a
-
MD5
413e650430e3a30842e9adca71f9948e
SHA17223ce07be019c2f6ce934acc5eb4d403f33bbea
SHA2566810c62a49fb8ebc1ed7c2bfeeccf38023e63c053235c8b0f8e6b2ea053c8ff3
SHA5123927c90b6afff59f88e332bed2644359405b042aa5b889be00bced16fa26c156321fc1ed64fce5a8b0698bc8f66b53e151d82452cc7e1cb05d6139f9fdae7c0a
-
MD5
413e650430e3a30842e9adca71f9948e
SHA17223ce07be019c2f6ce934acc5eb4d403f33bbea
SHA2566810c62a49fb8ebc1ed7c2bfeeccf38023e63c053235c8b0f8e6b2ea053c8ff3
SHA5123927c90b6afff59f88e332bed2644359405b042aa5b889be00bced16fa26c156321fc1ed64fce5a8b0698bc8f66b53e151d82452cc7e1cb05d6139f9fdae7c0a